njrat | 2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

5

2c1fd59ada...95.exe

windows7-x64

2c1fd59ada...95.exe

windows10-2004-x64

Sharing

General

Target

2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95
Size

911KB
Sample

221127-wt1ggace3v
MD5

5947d179c77c96f7a4b174d277725383
SHA1

f925ac6d657e01b5281c0cb1e5aaf01beddb8281
SHA256

2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95
SHA512

9625c7406a8f501996242bdffdef259f3804b23b6ddac53d74be2e3a4cd1ced12a0ab4bd91cf91dded4d9003f1bee7122c56d47ab54b9e48dbcea54522755fdf
SSDEEP

12288:Atb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga+r91G0X6A:Atb20pkaCqT5TBWgNQ7a+r9FX6A

Score

10^/10

njrat hamza evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95.exe

Resource

win7-20221111-en

njrat hamza evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95.exe

Resource

win10v2004-20220812-en

njrat hamza evasion persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hamza

C2

rrs123.no-ip.org:60

Mutex

6188e1c717e994538c5502a5488c8d23

Attributes

reg_key
6188e1c717e994538c5502a5488c8d23
splitter
|'|'|

Targets

- Target
  
  2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95
- Size
  
  911KB
- MD5
  
  5947d179c77c96f7a4b174d277725383
- SHA1
  
  f925ac6d657e01b5281c0cb1e5aaf01beddb8281
- SHA256
  
  2c1fd59ada63ebd87def7bda6f66a2494e2e21ff971022bb42b175617c398a95
- SHA512
  
  9625c7406a8f501996242bdffdef259f3804b23b6ddac53d74be2e3a4cd1ced12a0ab4bd91cf91dded4d9003f1bee7122c56d47ab54b9e48dbcea54522755fdf
- SSDEEP
  
  12288:Atb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga+r91G0X6A:Atb20pkaCqT5TBWgNQ7a+r9FX6A
Score

10^/10

njrat hamza evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathamzaevasionpersistencetrojan

behavioral2

njrathamzaevasionpersistencetrojan

© 2018-2025

Terms | Privacy