njrat | faa2e37de4a92178dfcc4d7966f1482f32755963736a964568e6d855f054eefb | Triage

Sharing

General

Target

2cf3ef9b4b6aff5b4fa53dd9a61e77fd.exe
Size

37KB
Sample

220729-gnbhtsefh3
MD5

2cf3ef9b4b6aff5b4fa53dd9a61e77fd
SHA1

b19d77793f0410c6b8fb044e573ebbfa4e9ba6f1
SHA256

faa2e37de4a92178dfcc4d7966f1482f32755963736a964568e6d855f054eefb
SHA512

5a3233ca3e8dc3a886addd8acda04ca0337e1a43760a617dc690f1b3851ef684acf51132cd07e548e566dc9c170bdd5cad48182d2bc525b6f41e231f4e19ad02

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:16632

Mutex

f635a65108320f6738abf7ac7c96edbf

Attributes

reg_key
f635a65108320f6738abf7ac7c96edbf
splitter
|'|'|

Targets

- Target
  
  2cf3ef9b4b6aff5b4fa53dd9a61e77fd.exe
- Size
  
  37KB
- MD5
  
  2cf3ef9b4b6aff5b4fa53dd9a61e77fd
- SHA1
  
  b19d77793f0410c6b8fb044e573ebbfa4e9ba6f1
- SHA256
  
  faa2e37de4a92178dfcc4d7966f1482f32755963736a964568e6d855f054eefb
- SHA512
  
  5a3233ca3e8dc3a886addd8acda04ca0337e1a43760a617dc690f1b3851ef684acf51132cd07e548e566dc9c170bdd5cad48182d2bc525b6f41e231f4e19ad02
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan