njrat | d014ba574b1546b47f9a03a844272cf994f024957707ec4ccac144d0dfdfe9bf | Triage

Sharing

General

Target

7805376166.zip
Size

880B
Sample

220809-xn6xqseffp
MD5

f80df01f560d632d59da10d8bf5b4444
SHA1

184e5afb4ddeecba6e6dcc7b5059c73b347a492c
SHA256

d014ba574b1546b47f9a03a844272cf994f024957707ec4ccac144d0dfdfe9bf
SHA512

7f58282bca4f42121109eac33ecfca3c9c8a8cbb0cf0f65ab0d5f684e4159b9e5feaa76076df2453059a9b29f4163002259c35450c0915d4a29bcc329ec2575d

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://tradeguru.com.pk/enc3.txt

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Targets

- Target
  
  ZURLRYOHRJILYWHHLBXSQO.vbs
- Size
  
  1KB
- MD5
  
  5f15ed0b10945b58f1d89fd89e7816a2
- SHA1
  
  0912be608b29f1bb905f9758e5b791f43531fc3b
- SHA256
  
  b529175e6e3cd7badb222d3a863d034241489835759f9557d8e8aae52e562706
- SHA512
  
  3e92fc68eb3de3dd8373842c8f4566323299803425ff8a80764f40f762a0680b5d30aeabb9f7a3efb189ebd3c0594ca7c4292a3e26836955db81ad260a144cae
Score

10^/10

njrat hacked evasion persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Registers COM server for autorun
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njrathackedevasionpersistencetrojan