njrat | 69cfac4e13c63eb0cbeaad0a395102f4e54bf6712d80838bdd012385c6fb617d | Triage

Sharing

General

Target

26dc605946143f14420cb2213b006b2f.exe
Size

431KB
Sample

220726-znw4mseaen
MD5

26dc605946143f14420cb2213b006b2f
SHA1

bffb892c1ac0db6e60a06e835decf5267f42bdbc
SHA256

69cfac4e13c63eb0cbeaad0a395102f4e54bf6712d80838bdd012385c6fb617d
SHA512

4bddb6ab653b860c4b8f3b8e17f3f1d510e8d32145b49d6466854a90c9691997881326f2b2e84485fd8f3026c15d8e743ae8a32cf29053d3800cb2a1a17ad29b

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

easralahtane.ddns.net:3973

Mutex

4c1e56ee7374309d8fa12b913734d668

Attributes

reg_key
4c1e56ee7374309d8fa12b913734d668
splitter
|'|'|

Targets

- Target
  
  26dc605946143f14420cb2213b006b2f.exe
- Size
  
  431KB
- MD5
  
  26dc605946143f14420cb2213b006b2f
- SHA1
  
  bffb892c1ac0db6e60a06e835decf5267f42bdbc
- SHA256
  
  69cfac4e13c63eb0cbeaad0a395102f4e54bf6712d80838bdd012385c6fb617d
- SHA512
  
  4bddb6ab653b860c4b8f3b8e17f3f1d510e8d32145b49d6466854a90c9691997881326f2b2e84485fd8f3026c15d8e743ae8a32cf29053d3800cb2a1a17ad29b
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan