njrat | 82e3a01167feaeda8f7257e9bf875ab05a5bf4a26c31fcb2bb34e204ac6734df | Triage

Sharing

General

Target

Server.zip
Size

211KB
Sample

220809-zasjashcf9
MD5

da127d6bb78b18286e463aca65935848
SHA1

b68aa8f53f979070c9bb9887391e3ffc8a69cb79
SHA256

82e3a01167feaeda8f7257e9bf875ab05a5bf4a26c31fcb2bb34e204ac6734df
SHA512

acba588498ffc2a1f93c45a4ccf599d71830c8d93580dbb7510eafceda9a33223ec6c1f8cd3668a6611bac782a766ac76475b13b10699283819be3d76134baed

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Targets

- Target
  
  Server.ps1
- Size
  
  612KB
- MD5
  
  97c12ecc7e95b2e262e91bf5aa591887
- SHA1
  
  007fcf42f768b48d568716f8fd816ed632fda354
- SHA256
  
  a4431f4c7fdfe445129cce301c59e05d5cc4b1b33aad3341d18308c46efb1024
- SHA512
  
  8329cb6798514fb010bcb20934b87fc7cda9b5342749a1de7b9be4d894db4ecba46e600847e7c4dadb9d1a61a1ee501da177b06b39533dbfe7d6671181bae5b0
Score

10^/10

persistence njrat hacked evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Registers COM server for autorun
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njrathackedevasionpersistencetrojan