njrat | 8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7 | Triage

Sharing

General

Target

8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
Size

352KB
Sample

221124-23ybcshh2y
MD5

efde8f7c97f533dbb5f6b44412f7e0e8
SHA1

32b42444d368b4531dd5b196fb8413201b876f30
SHA256

8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
SHA512

9a6023d0f6d23c037c2a3bb296c328c12266a72b40d1bdf254bd901f1fe90157ff1678fcb8bee002e108a29986b05ecbc6431a1150c647decf2b57775b8747d6
SSDEEP

3072:rnyCcI+02me4sZh7Bl/D8C6yi/5rwWZsRPEY9wcDkSFwVxjhC9qOf5Zad77cN/b:vvU7jUyeEmsWuTo5vsWd7pvOU7HJ7M5

Score

10^/10

njrat w.w.w.w evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

w.w.w.w

C2

ksa-ok.ddns.net:1177

Mutex

3731b7c7eb0e242265ddcd1c2fa8c059

Attributes

reg_key
3731b7c7eb0e242265ddcd1c2fa8c059
splitter
|'|'|

Targets

- Target
  
  8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
- Size
  
  352KB
- MD5
  
  efde8f7c97f533dbb5f6b44412f7e0e8
- SHA1
  
  32b42444d368b4531dd5b196fb8413201b876f30
- SHA256
  
  8103f3aba4d0dca4899bacc85a3f716f52ea505263ad559fb51db32bcc6d3da7
- SHA512
  
  9a6023d0f6d23c037c2a3bb296c328c12266a72b40d1bdf254bd901f1fe90157ff1678fcb8bee002e108a29986b05ecbc6431a1150c647decf2b57775b8747d6
- SSDEEP
  
  3072:rnyCcI+02me4sZh7Bl/D8C6yi/5rwWZsRPEY9wcDkSFwVxjhC9qOf5Zad77cN/b:vvU7jUyeEmsWuTo5vsWd7pvOU7HJ7M5
Score

10^/10

njrat w.w.w.w trojan evasion persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratw.w.w.wtrojan

behavioral2

njratw.w.w.wevasionpersistencetrojan