njrat | e9bf3fc00ed911d03f986e4ee8bc199835d75b2772c4089351a3e81f6a723558 | Triage

Sharing

General

Target

56a93141da5e548bbb1b51d75c1c6eb4.exe
Size

37KB
Sample

220730-2ehk1abad2
MD5

56a93141da5e548bbb1b51d75c1c6eb4
SHA1

220b3777cd9a82fb7ec3df41fe5671afbbff48e5
SHA256

e9bf3fc00ed911d03f986e4ee8bc199835d75b2772c4089351a3e81f6a723558
SHA512

48829aed487046290e28ab2e1e6db0f2084721e7fbf4766d148f17531dcca5fbc0e63cfdfbd9d9574a7c551320eb488e130be2f2776138abde7901bed5227abd

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

6.tcp.eu.ngrok.io:12180

Mutex

27a24c123d1e61d690116d6e2ecb6791

Attributes

reg_key
27a24c123d1e61d690116d6e2ecb6791
splitter
|'|'|

Targets

- Target
  
  56a93141da5e548bbb1b51d75c1c6eb4.exe
- Size
  
  37KB
- MD5
  
  56a93141da5e548bbb1b51d75c1c6eb4
- SHA1
  
  220b3777cd9a82fb7ec3df41fe5671afbbff48e5
- SHA256
  
  e9bf3fc00ed911d03f986e4ee8bc199835d75b2772c4089351a3e81f6a723558
- SHA512
  
  48829aed487046290e28ab2e1e6db0f2084721e7fbf4766d148f17531dcca5fbc0e63cfdfbd9d9574a7c551320eb488e130be2f2776138abde7901bed5227abd
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan