njrat | e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441 | Triage

Submit
Reports

Overview

overview

Static

static

5

e606ebb8d0...41.exe

windows7-x64

e606ebb8d0...41.exe

windows10-2004-x64

Sharing

General

Target

e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441
Size

1.2MB
Sample

221125-hnvgdacg7s
MD5

6ed29f629da1a85b7b854aafda1e369a
SHA1

25cdd05e00d1900aabca3e8a7d11f1a9e4547e3a
SHA256

e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441
SHA512

75833a06204dc1d763105ccd427d667cfab5f060e310ab329d243e71f00ae0aa65ecc322ff35291a6ddfcea912a84506d6a99c62d4c38dc4a1958d0b31bd176b
SSDEEP

24576:0tb20pkaCqT5TBWgNQ7ar3YKEBCd1s31LgABGkoyXtkcnO16A:dVg5tQ7ar3GB+1eLFtvnG5

Score

10^/10

njrat a0ayfj0pjtxgl9pajat evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441.exe

Resource

win7-20221111-en

njrat a0ayfj0pjtxgl9pajat evasion persistence trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441.exe

Resource

win10v2004-20221111-en

njrat a0ayfj0pjtxgl9pajat evasion persistence trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

A0AYFJ0PJtXGl9PaJat

C2

193.0.200.131:35689

Mutex

0dcfc9e55379c2e16a422bb33c97d277

Attributes

reg_key
0dcfc9e55379c2e16a422bb33c97d277
splitter
|'|'|

Targets

- Target
  
  e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441
- Size
  
  1.2MB
- MD5
  
  6ed29f629da1a85b7b854aafda1e369a
- SHA1
  
  25cdd05e00d1900aabca3e8a7d11f1a9e4547e3a
- SHA256
  
  e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441
- SHA512
  
  75833a06204dc1d763105ccd427d667cfab5f060e310ab329d243e71f00ae0aa65ecc322ff35291a6ddfcea912a84506d6a99c62d4c38dc4a1958d0b31bd176b
- SSDEEP
  
  24576:0tb20pkaCqT5TBWgNQ7ar3YKEBCd1s31LgABGkoyXtkcnO16A:dVg5tQ7ar3GB+1eLFtvnG5
Score

10^/10

njrat a0ayfj0pjtxgl9pajat evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrata0ayfj0pjtxgl9pajatevasionpersistencetrojan

behavioral2

njrata0ayfj0pjtxgl9pajatevasionpersistencetrojan

© 2018-2024

Terms | Privacy