njrat | 697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb | Triage

Sharing

General

Target

0c7e71cb15f3a654bd603ecc875126b5.exe
Size

25KB
Sample

230206-3lkjlsgd56
MD5

0c7e71cb15f3a654bd603ecc875126b5
SHA1

86b9b8214a1f25c1c059201b89b0e058ccc24046
SHA256

697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb
SHA512

35608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9
SSDEEP

768:svp3Gwda1gHhRsSiBCyiEs81sByH6oCgmj:Q3Gwda1gBVOCyiYyBy3E

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

4.tcp.eu.ngrok.io:12433

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  0c7e71cb15f3a654bd603ecc875126b5.exe
- Size
  
  25KB
- MD5
  
  0c7e71cb15f3a654bd603ecc875126b5
- SHA1
  
  86b9b8214a1f25c1c059201b89b0e058ccc24046
- SHA256
  
  697e668ff68ad6ec46a37f3be151cceee3df535f78af08fc290f4553d5b562fb
- SHA512
  
  35608317ba260a1483002dbb7271db5b10ca02b07f6f9dde2453bfd449397516ad32fb86d340e37ed140b53e6fdd0d57d113e2d9bf7dc4abf7265235628499e9
- SSDEEP
  
  768:svp3Gwda1gHhRsSiBCyiEs81sByH6oCgmj:Q3Gwda1gBVOCyiYyBy3E
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2