njrat | 52a7c3a95c263d495d5d45cbc52eedfd797ae2e6ab9627332c1abbf974f297fd

General

Target

52a7c3a95c263d495d5d45cbc52eedfd797ae2e6ab9627332c1abbf974f297fd
Size

584KB
Sample

221126-xmpxtsba2s
MD5

9e1c70e7770ca64967f73b879df6c7ca
SHA1

df4df04598e45b4f5ea4169f46b4681dc0eada3d
SHA256

52a7c3a95c263d495d5d45cbc52eedfd797ae2e6ab9627332c1abbf974f297fd
SHA512

6c181ceae4501eca04acec0fb3e4573f5a4e250c6448e873ebdf7614c38b055c22558ee929a33e06de426d3593cd6b70a98f7849c1367b5c1bf98bc9c834b686
SSDEEP

12288:Jat0EAH49n8BXUkq8xGc55FnU1zRu14+2J1WJeJ+zHn1cS5eS7lU2HzFqs/Fu3:4t24/kqU5M1zx/WJSOn1c3OXzFq1

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

100

C2

vantora.no-ip.biz:4700

Mutex

f3fd317a99c802aeb53d1d3eff0f6056

Attributes

reg_key
f3fd317a99c802aeb53d1d3eff0f6056
splitter
|'|'|

Targets

- Target
  
  52a7c3a95c263d495d5d45cbc52eedfd797ae2e6ab9627332c1abbf974f297fd
- Size
  
  584KB
- MD5
  
  9e1c70e7770ca64967f73b879df6c7ca
- SHA1
  
  df4df04598e45b4f5ea4169f46b4681dc0eada3d
- SHA256
  
  52a7c3a95c263d495d5d45cbc52eedfd797ae2e6ab9627332c1abbf974f297fd
- SHA512
  
  6c181ceae4501eca04acec0fb3e4573f5a4e250c6448e873ebdf7614c38b055c22558ee929a33e06de426d3593cd6b70a98f7849c1367b5c1bf98bc9c834b686
- SSDEEP
  
  12288:Jat0EAH49n8BXUkq8xGc55FnU1zRu14+2J1WJeJ+zHn1cS5eS7lU2HzFqs/Fu3:4t24/kqU5M1zx/WJSOn1c3OXzFq1
Score

10^/10

njrat 100 persistence trojan microsoft phishing
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

njRAT/Bladabindi

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2