njrat | 3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa | Triage

Submit
Reports

Overview

overview

Static

static

1

sample.exe

windows7-x64

sample.exe

windows10-2004-x64

Sharing

General

Target

sample.exe
Size

4.6MB
Sample

230324-zeywwahc26
MD5

7e8ba9fb61fa408145919b871075e1c9
SHA1

d166c427649f37085719c0591fb0b8da077dc0db
SHA256

3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
SHA512

3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
SSDEEP

49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8

Score

10^/10

njrat hacked agilenet persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

sample.exe

Resource

win7-20230220-en

njrat hacked agilenet persistence trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

sample.exe

Resource

win10v2004-20230220-en

njrat hacked persistence trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

vesperiskindagoated.hopto.org:5552

Mutex

WSecurityKey

Attributes

reg_key
WSecurityKey
splitter
|-F-|

Targets

- Target
  
  sample.exe
- Size
  
  4.6MB
- MD5
  
  7e8ba9fb61fa408145919b871075e1c9
- SHA1
  
  d166c427649f37085719c0591fb0b8da077dc0db
- SHA256
  
  3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
- SHA512
  
  3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
- SSDEEP
  
  49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8
Score

10^/10

njrat hacked agilenet persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedagilenetpersistencetrojan

behavioral2

njrathackedpersistencetrojan

© 2018-2024

Terms | Privacy