njrat | a7670a1fa0a4e6ae82288f4e67b8cf112aa98c5ed1af25a12ceee5e345629cbf | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a7670a1fa0a4e6ae82288f4e67b8cf112aa98c5ed1af25a12ceee5e345629cbf
Size

29KB
Sample

221125-3l2swsfa85
MD5

949e8732ab117b814097ff93cceee266
SHA1

27ed08e03289abcaaa67eb4fbf1d65a199993925
SHA256

a7670a1fa0a4e6ae82288f4e67b8cf112aa98c5ed1af25a12ceee5e345629cbf
SHA512

81e75004d7ce62a84f3351dece338b45b476d99b870fded2827f3ea4c1095d3a035ab0ce0fca4fc6d44130fb090b9db1b5172642469151340e3e2f7a10faf3d6
SSDEEP

384:5KLNl7zRVoIY6EXl53NfzGOmqDQ576We/aGBsbh0w4wlAokw9OhgOL1vYRGOZzvF:m7noIYTV7zAqM6WedBKh0p29SgRHGu

Score

10^/10

njrat fucked by firas evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Fucked By Firas

C2

zokomek.no-ip.org:1177

Mutex

23556fb1360f366337f97c924e76ead3

Attributes

reg_key
23556fb1360f366337f97c924e76ead3
splitter
|'|'|

Targets

- Target
  
  a7670a1fa0a4e6ae82288f4e67b8cf112aa98c5ed1af25a12ceee5e345629cbf
- Size
  
  29KB
- MD5
  
  949e8732ab117b814097ff93cceee266
- SHA1
  
  27ed08e03289abcaaa67eb4fbf1d65a199993925
- SHA256
  
  a7670a1fa0a4e6ae82288f4e67b8cf112aa98c5ed1af25a12ceee5e345629cbf
- SHA512
  
  81e75004d7ce62a84f3351dece338b45b476d99b870fded2827f3ea4c1095d3a035ab0ce0fca4fc6d44130fb090b9db1b5172642469151340e3e2f7a10faf3d6
- SSDEEP
  
  384:5KLNl7zRVoIY6EXl53NfzGOmqDQ576We/aGBsbh0w4wlAokw9OhgOL1vYRGOZzvF:m7noIYTV7zAqM6WedBKh0p29SgRHGu
Score

10^/10

njrat fucked by firas evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

fucked by firasnjrat

behavioral1

njratfucked by firasevasionpersistencetrojan

behavioral2

njratfucked by firasevasionpersistencetrojan