njrat | 7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef | Triage

Sharing

General

Target

7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef
Size

366KB
Sample

221003-cwywwadggr
MD5

2ec5f966af8485c4d445efb4c651e6c7
SHA1

fc9781a10f1fdf02680f6b5d560169ef1aeb24cf
SHA256

7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef
SHA512

af5033db437dde5921568b59c453e4a09d4a145ca6c6ff077718cb96897a5e16a7ba46c25482b7cbb5cc9bd39f68d11d3d550c80180b75c288308e4790b1ea51
SSDEEP

6144:WsxanyfX5k7JlJDlABKUtfU/WQcb5e+CthMmBVuIpB6zk0OfgdGIohT+Y7bOPzAV:H0nyfXuIBDtfuFtCW3akTgdjoh6wbOkV

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

kawtherkahla.ddns.net:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Targets

- Target
  
  7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef
- Size
  
  366KB
- MD5
  
  2ec5f966af8485c4d445efb4c651e6c7
- SHA1
  
  fc9781a10f1fdf02680f6b5d560169ef1aeb24cf
- SHA256
  
  7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef
- SHA512
  
  af5033db437dde5921568b59c453e4a09d4a145ca6c6ff077718cb96897a5e16a7ba46c25482b7cbb5cc9bd39f68d11d3d550c80180b75c288308e4790b1ea51
- SSDEEP
  
  6144:WsxanyfX5k7JlJDlABKUtfU/WQcb5e+CthMmBVuIpB6zk0OfgdGIohT+Y7bOPzAV:H0nyfXuIBDtfuFtCW3akTgdjoh6wbOkV
Score

10^/10

njrat hacked trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedtrojan

behavioral2

njrathackedtrojan