njrat | a5f74051f317f52f6d2fbe9546fb92cf985aefbbcf74f6694e5b70095d8c637f | Triage

Sharing

General

Target

7d751c5400ebc2f605dcbeaf9bcb9d89.exe
Size

93KB
Sample

230316-frd8fsbd6w
MD5

7d751c5400ebc2f605dcbeaf9bcb9d89
SHA1

e8fd45c97fef85d3509ee2737c5936c35ae4e222
SHA256

a5f74051f317f52f6d2fbe9546fb92cf985aefbbcf74f6694e5b70095d8c637f
SHA512

413a7dbf1e13524d0eed52ed0849b6ae67b5abaf525944d1bcb4f4bc66c10dbad40b000f222162eebc99cd38a24bb4d76a7693f7b5ec28cebcb835c3f5f7ee9b
SSDEEP

1536:mxuYW6qbkW8aVpO1iRkoojEwzGi1dD5D8gS:mxW8aVpOwSCi1dFV

Score

10^/10

njrat hacked evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOC50Y3AuZXUubmdyb2suaW8Strik:MTg2Njg=

Mutex

f2ceb2aef408be9a18f9c806b47c8aaf

Attributes

reg_key
f2ceb2aef408be9a18f9c806b47c8aaf
splitter
|'|'|

Targets

- Target
  
  7d751c5400ebc2f605dcbeaf9bcb9d89.exe
- Size
  
  93KB
- MD5
  
  7d751c5400ebc2f605dcbeaf9bcb9d89
- SHA1
  
  e8fd45c97fef85d3509ee2737c5936c35ae4e222
- SHA256
  
  a5f74051f317f52f6d2fbe9546fb92cf985aefbbcf74f6694e5b70095d8c637f
- SHA512
  
  413a7dbf1e13524d0eed52ed0849b6ae67b5abaf525944d1bcb4f4bc66c10dbad40b000f222162eebc99cd38a24bb4d76a7693f7b5ec28cebcb835c3f5f7ee9b
- SSDEEP
  
  1536:mxuYW6qbkW8aVpO1iRkoojEwzGi1dD5D8gS:mxW8aVpOwSCi1dFV
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2