njrat | 41a306a197179294435fa744d946f94cea575a2bb2a415a2efa5f564c9017149 | Triage

Sharing

General

Target

Aug.9.2022.zip
Size

3KB
Sample

220809-xw51eagdf4
MD5

064c6056360de874f86786fab95dd539
SHA1

6e8d0b1c33a2af5c9e7b16fa06e151ac00b31971
SHA256

41a306a197179294435fa744d946f94cea575a2bb2a415a2efa5f564c9017149
SHA512

1d04ed3655a746c85631a50d2d36d6e71dabba6f42f8f8a77e140d092d9bdc8d07e7b7a1cfee8387664d3928fdc5af2a8f4d0eeeff09712339ec7f21636b5796

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Targets

- Target
  
  enc2.hta
- Size
  
  4KB
- MD5
  
  655efe95aac234dbfca94dda9b36db0e
- SHA1
  
  ab7a01b4048afe8a31348d48647fbbf2a0579e3f
- SHA256
  
  bb4c9c960b921042233d6835d513e320e353a616d44c089dc96a7f4b686e759b
- SHA512
  
  6928dd4d0201a3aec4e7d58da2d02e6a8bc4a3aa9e4b223e77f568ac094b752e5a18672124c1cc299870e6e81ce298d99017541f1d95cf64a229470dc998bd07
Score

10^/10

njrat hacked evasion persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Registers COM server for autorun
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  enc3.hta
- Size
  
  4KB
- MD5
  
  586ddb57373ee157da834b1c83da00af
- SHA1
  
  d240d7266f86bc74817fc45556d0d4cae4424efc
- SHA256
  
  06769b16f5a4d86ab1c87f7811b6ed4964814cb469e01321c888dab9a2bf5696
- SHA512
  
  467b362ba0feed6b6a15ce2ff767bf2e2503640f05369beba98b6dd67709a632f23b0186f7c21ecd330fd4911c19a68a6fe8e51649a7a983426fd1f2222a6b0e
Score

10^/10

njrat hacked evasion persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Registers COM server for autorun
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njrathackedevasionpersistencetrojan

behavioral3

behavioral4

njrathackedevasionpersistencetrojan