njrat | 2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f | Triage

Sharing

General

Target

2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f
Size

710KB
Sample

221126-qmwbaafd48
MD5

1d1f0520530466ef7dfb1b7bfef3e589
SHA1

41dc772cd170d40279ad7347837bf7a6ec2d3ee2
SHA256

2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f
SHA512

88ed865d725e6c436fd80a77f8bfcf108a77095f078c0b8f711b8de0782dacaecb5c727729d5e927b4433517516ef5c33927e2f11505931de49d59afe4dad840
SSDEEP

12288:oH7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QuP2rX:obCj2sObHtqQ4Qu+z

Score

10^/10

njrat bot trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bot

C2

smuktnet.ddns.net:5552

Mutex

d5bf5ee18952025404f8d39dc09f66a5

Attributes

reg_key
d5bf5ee18952025404f8d39dc09f66a5
splitter
|'|'|

Targets

- Target
  
  2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f
- Size
  
  710KB
- MD5
  
  1d1f0520530466ef7dfb1b7bfef3e589
- SHA1
  
  41dc772cd170d40279ad7347837bf7a6ec2d3ee2
- SHA256
  
  2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f
- SHA512
  
  88ed865d725e6c436fd80a77f8bfcf108a77095f078c0b8f711b8de0782dacaecb5c727729d5e927b4433517516ef5c33927e2f11505931de49d59afe4dad840
- SSDEEP
  
  12288:oH7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QuP2rX:obCj2sObHtqQ4Qu+z
Score

10^/10

njrat bot trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2