Overview

overview

10

Static

static

Server2.ps1

windows7-x64

10

Server2.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Server2.zip

  • Size

    211KB

  • Sample

    220809-zdh42afffp

  • MD5

    3af4cf3d8df4d35c9bb811aaa40e3e96

  • SHA1

    519a143633657a6e60767fa23171a005e4b4a9cd

  • SHA256

    ab848665d099cb50c939e27c37c04c009f66e21af789a15d2b96765dca832502

  • SHA512

    30ac9c9ecebfe300077a1c0dba136b353f3955fa4c4922775bb77f7e7abac1da6580b1c10c05056d3388b9f77cee612631f240e7d545eaba11a58c61572c21b2

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Targets

    • Target

      Server2.ps1

    • Size

      612KB

    • MD5

      6bc00b50a62e3f2160b9edf1cb1cce8e

    • SHA1

      1381fac090dcc9a5635e3e0ae4c6693f726c4dd5

    • SHA256

      4ca62a1c904c5a12aac80ea69f09c4ba439a0eb786d23d384f76f42c32f0063c

    • SHA512

      571b564613e8c6f72a951cbcafa5e5caf9043cb7fffa97f474c80e2bb50f9db281cdd4608c0bcb1a64ce15723f82af78290e76fb9bd50eb36fce7126fe9d1479

    Score
    10/10
    persistencenjrathackedevasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Registers COM server for autorun

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks