njrat | f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848 | Triage

Sharing

General

Target

f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848
Size

29KB
Sample

220731-f1lc5abdbk
MD5

56b48e11484f9de5271ec5b299fdb2f8
SHA1

ee065c111bc8bf007a2f0a34db37436f1c530968
SHA256

f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848
SHA512

dff379f4ca929dece1b9360dc02e890970c1e00a00e6c8ca5506c3e2bf0060a3f627905204a2dab715758e07328b53313b830e903d556eee5a10978203846d94

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

ddas.ddns.net:2700

Mutex

664661b4c81638bcf0bec04457373cd7

Attributes

reg_key
664661b4c81638bcf0bec04457373cd7
splitter
|'|'|

Targets

- Target
  
  f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848
- Size
  
  29KB
- MD5
  
  56b48e11484f9de5271ec5b299fdb2f8
- SHA1
  
  ee065c111bc8bf007a2f0a34db37436f1c530968
- SHA256
  
  f51a5cae5ba517e14fa1f0afbc607982c909a2945208ca8a6c2fb9930d4ad848
- SHA512
  
  dff379f4ca929dece1b9360dc02e890970c1e00a00e6c8ca5506c3e2bf0060a3f627905204a2dab715758e07328b53313b830e903d556eee5a10978203846d94
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan