njrat | 5b7042a219a347e8a9af0c90e1f605d386a53fc48642c3a77f87cf07dadadf41 | Triage

Sharing

General

Target

5b7042a219a347e8a9af0c90e1f605d386a53fc48642c3a77f87cf07dadadf41
Size

587KB
Sample

221123-s9em6add45
MD5

cf7dc84ebc0ff95a60344bc727002401
SHA1

359d48d84383391cd7cc2689e89da761b8bf1c71
SHA256

5b7042a219a347e8a9af0c90e1f605d386a53fc48642c3a77f87cf07dadadf41
SHA512

6e939bd5c800482bacf500c5a4989210df235068a98f5cdef9503d39be15bee900fbb506225964daea8eaa6c4035f37a11f487bd0a8c8a7ef3230c33d39e3ade
SSDEEP

12288:TcwSDCwPsgjzeppKzBFhwE5US2LtixPA2mEQqdyy2/mVFAMEpEXuAKlL35:vgsgveipOnKP3Qkd2/MbEG8l

Score

10^/10

njrat doucli trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

DouCLi

C2

fuxxer.noip.me:1604

Mutex

dcc3eadaab98a4e156f5339cb19d8f62

Attributes

reg_key
dcc3eadaab98a4e156f5339cb19d8f62
splitter
|'|'|

Targets

- Target
  
  5b7042a219a347e8a9af0c90e1f605d386a53fc48642c3a77f87cf07dadadf41
- Size
  
  587KB
- MD5
  
  cf7dc84ebc0ff95a60344bc727002401
- SHA1
  
  359d48d84383391cd7cc2689e89da761b8bf1c71
- SHA256
  
  5b7042a219a347e8a9af0c90e1f605d386a53fc48642c3a77f87cf07dadadf41
- SHA512
  
  6e939bd5c800482bacf500c5a4989210df235068a98f5cdef9503d39be15bee900fbb506225964daea8eaa6c4035f37a11f487bd0a8c8a7ef3230c33d39e3ade
- SSDEEP
  
  12288:TcwSDCwPsgjzeppKzBFhwE5US2LtixPA2mEQqdyy2/mVFAMEpEXuAKlL35:vgsgveipOnKP3Qkd2/MbEG8l
Score

10^/10

njrat doucli trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratdouclitrojan

behavioral2

njratdouclitrojan