njrat | ae65e1d43dc79fba514c715b37f058e20a99d479663034f3eabbd6614ba7d6b0 | Triage

Sharing

General

Target

7837626121.zip
Size

879B
Sample

220809-xnv58sgcf7
MD5

5a830c2c72088e275e17f2699e37b53c
SHA1

f169de8e31e930a581d6b00e9fa88b8f1ec242f1
SHA256

ae65e1d43dc79fba514c715b37f058e20a99d479663034f3eabbd6614ba7d6b0
SHA512

a30cb372b5cef7f3fa22c166cb7b1b88ec0a7dbb8e738fcc11a4b81aed7c46ec36b6b2f12c9fc52c3a040e86b71b73c2d51616c2f12dd6aeff696aac95b54355

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://tradeguru.com.pk/enc1

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Targets

- Target
  
  LIYDOERWQPOKERHAVAXOCI.vbs
- Size
  
  1KB
- MD5
  
  733afa01e2447e2fcafcf4f224a1a4a7
- SHA1
  
  fcb94d8e29aa8bb802104a6ea49f7e715bea7031
- SHA256
  
  00eb25d6c95f74f9c7caded04eca76fa2a03e280448af51c1108b75b2709909a
- SHA512
  
  42658d2f4cbb0a75c49434644078ad5291995b415481186a66aad1fd31a3013002e6f753093f81c4d8022a7811b199e2b66270c4017a928f6bf9df72d0334948
Score

10^/10

njrat hacked evasion persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Registers COM server for autorun
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njrathackedevasionpersistencetrojan