njrat | 5d77954b4c3d9502276ef66cde1a3e173cb80de4d67752bbb68053c901b471eb | Triage

Sharing

General

Target

5d77954b4c3d9502276ef66cde1a3e173cb80de4d67752bbb68053c901b471eb
Size

23KB
Sample

220731-3cks1scfd9
MD5

2387a59ea2fd012660f4309403719829
SHA1

ba40a222616da48b91b65250e257ca3cd58ac7b3
SHA256

5d77954b4c3d9502276ef66cde1a3e173cb80de4d67752bbb68053c901b471eb
SHA512

caa43c0934955c06d0774cdfcb84badaaa5991063760c580d36383999d93873e07197a9b4cad8986136d18b3ea8c4f8afcb341bc3a6116a85ef6adc7d92dbe74

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

a47829835e21230213cd017c2b4b3e4f

Attributes

reg_key
a47829835e21230213cd017c2b4b3e4f
splitter
|'|'|

Targets

- Target
  
  5d77954b4c3d9502276ef66cde1a3e173cb80de4d67752bbb68053c901b471eb
- Size
  
  23KB
- MD5
  
  2387a59ea2fd012660f4309403719829
- SHA1
  
  ba40a222616da48b91b65250e257ca3cd58ac7b3
- SHA256
  
  5d77954b4c3d9502276ef66cde1a3e173cb80de4d67752bbb68053c901b471eb
- SHA512
  
  caa43c0934955c06d0774cdfcb84badaaa5991063760c580d36383999d93873e07197a9b4cad8986136d18b3ea8c4f8afcb341bc3a6116a85ef6adc7d92dbe74
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan