njrat | 74dda7038473283d4574897cf07ce1cad1ea4d47cbf24cb1d17bf29f1cd4df74 | Triage

Submit
Reports

Overview

overview

Static

static

Client.exe

windows10-1703-x64

Sharing

General

Target

Client.exe
Size

31KB
Sample

221207-zfevdsga65
MD5

cce84a59d2b090a31e57d0a72ad74fa2
SHA1

a9a44dc4626a68e40a5b5fb7a7d0f7fad309e06c
SHA256

74dda7038473283d4574897cf07ce1cad1ea4d47cbf24cb1d17bf29f1cd4df74
SHA512

c291bae5dea8a60b32aba72ca9839c717478b10439237ab0edc3230f4dbee1cd2d296c9d984bd865454304f47f3f37e3f11560d010a76ba9f2feecf4cb1222c9
SSDEEP

768:GDirDp8pdvXyzx9uFwna/5nW3TvanQmIDUu0tiLfj:Fw68nQbkQVkej

Score

10^/10

njrat test discovery evasion persistence spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win10-20220812-en

njrat discovery evasion persistence spyware stealer trojan upx

windows10-1703-x64

26 signatures

600 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Test

C2

87.1.10.253:6522

Mutex

9057ef5c5e88ed748f4a1200ec63197e

Attributes

reg_key
9057ef5c5e88ed748f4a1200ec63197e
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  Client.exe
- Size
  
  31KB
- MD5
  
  cce84a59d2b090a31e57d0a72ad74fa2
- SHA1
  
  a9a44dc4626a68e40a5b5fb7a7d0f7fad309e06c
- SHA256
  
  74dda7038473283d4574897cf07ce1cad1ea4d47cbf24cb1d17bf29f1cd4df74
- SHA512
  
  c291bae5dea8a60b32aba72ca9839c717478b10439237ab0edc3230f4dbee1cd2d296c9d984bd865454304f47f3f37e3f11560d010a76ba9f2feecf4cb1222c9
- SSDEEP
  
  768:GDirDp8pdvXyzx9uFwna/5nW3TvanQmIDUu0tiLfj:Fw68nQbkQVkej
Score

10^/10

njrat discovery evasion persistence spyware stealer trojan upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

njratdiscoveryevasionpersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy