Overview

overview

10

Static

static

10

416c7d11f9...51.exe

windows7-x64

10

416c7d11f9...51.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    416c7d11f909c4774e3586b2f950e7e1fe981f82dc83fc6280856c9b0488c951

  • Size

    112KB

  • Sample

    221128-xx4hzaab37

  • MD5

    3efe7d9fdf50e70b4f1afaaeb2bd8ac8

  • SHA1

    63bc073dc6dff1855307f36e09e2833237337c39

  • SHA256

    416c7d11f909c4774e3586b2f950e7e1fe981f82dc83fc6280856c9b0488c951

  • SHA512

    1cf70cad8f59d65ff68885b69796318f4c844b7e3d065b030ed48715ad293c250e7032ef8b99f5d29138ece2c63432253d2176c2a965ce2d09f64f09d34df2f6

  • SSDEEP

    768:SCt40qhmtLYLE589tXvRpcnuU5XloU+z404fym:Sk40qhmtL/589ZvRWuU1lcUy

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

salemsalemas123.no-ip.org:1177

Mutex

063e33ad16265e19717dfe9256864cb0

Attributes
  • reg_key

    063e33ad16265e19717dfe9256864cb0

  • splitter

    |'|'|

Targets

    • Target

      416c7d11f909c4774e3586b2f950e7e1fe981f82dc83fc6280856c9b0488c951

    • Size

      112KB

    • MD5

      3efe7d9fdf50e70b4f1afaaeb2bd8ac8

    • SHA1

      63bc073dc6dff1855307f36e09e2833237337c39

    • SHA256

      416c7d11f909c4774e3586b2f950e7e1fe981f82dc83fc6280856c9b0488c951

    • SHA512

      1cf70cad8f59d65ff68885b69796318f4c844b7e3d065b030ed48715ad293c250e7032ef8b99f5d29138ece2c63432253d2176c2a965ce2d09f64f09d34df2f6

    • SSDEEP

      768:SCt40qhmtLYLE589tXvRpcnuU5XloU+z404fym:Sk40qhmtL/589ZvRWuU1lcUy

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks