njrat | 73e63871a24f0b98e5096aa8f568e8e0d761b82926cba894d1be631f95f2a0c4 | Triage

Sharing

General

Target

1476-56-0x00000000006C0000-0x00000000006CC000-memory.dmp
Size

48KB
Sample

220726-zqsh8seafl
MD5

6de2929b7b7222f71855fbe910cf307b
SHA1

40b5ea79764da3d2b7e04b9ecde4239b8a431bc8
SHA256

73e63871a24f0b98e5096aa8f568e8e0d761b82926cba894d1be631f95f2a0c4
SHA512

d5a7663f30536bd7d2757e867c362b574b1dae6ed2bea127991a391ce8e69fc246f2d0d4b183e0e0acc84c666b1498d518470d36049c5e9a092ca18bd0b7dbd9

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

easralahtane.ddns.net:3973

Mutex

4c1e56ee7374309d8fa12b913734d668

Attributes

reg_key
4c1e56ee7374309d8fa12b913734d668
splitter
|'|'|

Targets

- Target
  
  1476-56-0x00000000006C0000-0x00000000006CC000-memory.dmp
- Size
  
  48KB
- MD5
  
  6de2929b7b7222f71855fbe910cf307b
- SHA1
  
  40b5ea79764da3d2b7e04b9ecde4239b8a431bc8
- SHA256
  
  73e63871a24f0b98e5096aa8f568e8e0d761b82926cba894d1be631f95f2a0c4
- SHA512
  
  d5a7663f30536bd7d2757e867c362b574b1dae6ed2bea127991a391ce8e69fc246f2d0d4b183e0e0acc84c666b1498d518470d36049c5e9a092ca18bd0b7dbd9
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan