njrat | 81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b | Triage

Submit
Reports

Overview

overview

Static

static

5

81e7eb62a1...2b.exe

windows7-x64

81e7eb62a1...2b.exe

windows10-2004-x64

Sharing

General

Target

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b
Size

715KB
Sample

221126-2l5dcaeb2x
MD5

df265fe540eaf09ba00fa6fa29af3624
SHA1

2ab46e8c20481068f15291ef31356bca50b2ecb7
SHA256

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b
SHA512

7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec
SSDEEP

12288:+H7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QU3NELIHIYwE4HVA:+bCj2sObHtqQ4QSTwt1A

Score

10^/10

njrat hacked evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Resource

win7-20221111-en

njrat hacked evasion persistence trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b.exe

Resource

win10v2004-20220812-en

njrat hacked evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

5.34.183.64:1699

Mutex

2814667a3ff5b067280784d8be595983

Attributes

reg_key
2814667a3ff5b067280784d8be595983
splitter
|'|'|

Targets

- Target
  
  81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b
- Size
  
  715KB
- MD5
  
  df265fe540eaf09ba00fa6fa29af3624
- SHA1
  
  2ab46e8c20481068f15291ef31356bca50b2ecb7
- SHA256
  
  81e7eb62a140d6fa89d9c15748789aa29b2f428fc7fce15fee9159ca3a53b82b
- SHA512
  
  7fd35a660fabedb84a1e2dd412252718b211cf3f6c371f40456b37906bd22478d318041cc66d56d081f050fd915d50ee9d6c27e87f7745b12f4213636b55a4ec
- SSDEEP
  
  12288:+H7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QU3NELIHIYwE4HVA:+bCj2sObHtqQ4QSTwt1A
Score

10^/10

njrat hacked evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan

© 2018-2024

Terms | Privacy