njrat | 7e2b18922467014df87db3d500b6b41ce7d5c16d82cbcd2cb9c089acb4f5c507 | Triage

Sharing

General

Target

7839746120.zip
Size

883B
Sample

220809-xng9dagce3
MD5

4425864a70b8e8b37f509564e5aa46e0
SHA1

9c37b2f2d5cdd3da0712dd46d0c244bfe3fef1aa
SHA256

7e2b18922467014df87db3d500b6b41ce7d5c16d82cbcd2cb9c089acb4f5c507
SHA512

d7e1c1ab1820a2d9e0f645f3325a59f7a8080b99c4dda0fa526ca6472607f737527ab2c6c1013b484007db6bb9fd6a6b43903deeb6bb1f1dfc951cd5b868686d

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://tradeguru.com.pk/enc.txt

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Targets

- Target
  
  LIYDOERWQPOKERHAVAXOCI.vbs
- Size
  
  1KB
- MD5
  
  7fa6c86604b4b5706beac109127af386
- SHA1
  
  aeac233400b02928f3a025a740bcfd6e2f85cd8a
- SHA256
  
  04d8d89df7a3ebe9d24b4635b6f4760e81465d672cb9f010e020b336b2d811ec
- SHA512
  
  e79fe1be4f96e06da8f60e7bb486e854bbf66509c637f08734771cc6a26a8051a281f8e484145252cd2e90d7196175761ad14f4cf00122ae9431a330ba189330
Score

10^/10

njrat hacked evasion persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Registers COM server for autorun
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njrathackedevasionpersistencetrojan