njrat | 14a08cc28c5d133cec49f1e23ed4a0685c7a8dcbda6a6cde57fa2197fe428040 | Triage

Sharing

General

Target

Remcos Professional Cracked By Alcatraz3222.rar
Size

34.6MB
Sample

230329-bhkawseb69
MD5

91ef73eb787be28e013389110e78e8b2
SHA1

e97029e530c662e8fb89d3c1957fb168509b8f4f
SHA256

14a08cc28c5d133cec49f1e23ed4a0685c7a8dcbda6a6cde57fa2197fe428040
SHA512

d10094e545d71b5c404b4d62d134874dbec2d5ab3088b85d27711abcbfcb48431e722a1cfa178743400026030eac184912d15a23b3c113a3fdc016210351adc7
SSDEEP

786432:QuFA4mY7D7S4TWoDF8XB3uD5hLm6TtvtpYvbsYsaMxa/Ecaqu6:QuMYX24TRqBO5hLm6TtvtCvb4dOEcb

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Targets

- Target
  
  Remcos Professional Cracked By Alcatraz3222-cleaned.exe
- Size
  
  17.9MB
- MD5
  
  946125ea1dcd4d87c44b603f608dd64c
- SHA1
  
  48635fd472da387b60a43d4b65813516f99c8c55
- SHA256
  
  56b813058735d5f0980dae75394cba6e78d2096f142aaf7811251dbac7657bb1
- SHA512
  
  b3f42641a68cd4e7c365a031f6c1997e3c4efcf0fbf6b616341062b23f58e90d6a08d93ac249de1b53151a8dfb728da5cbdfd8d18e96892410038385fb96c7e5
- SSDEEP
  
  393216:tHN4EgV1uaHYxhfJJZu9rOtEK0Vc+shB97mip52wrqi3nHoKzMWUOCF:tCEm54vJJZWWMgp5HuuzMWU
Score

10^/10

njrat hacked evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  Remcos Professional Cracked By Alcatraz3222.exe
- Size
  
  17.7MB
- MD5
  
  efc159c7cf75545997f8c6af52d3e802
- SHA1
  
  b85bd368c91a13db1c5de2326deb25ad666c24c1
- SHA256
  
  898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
- SHA512
  
  d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d
- SSDEEP
  
  393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx
Score

10^/10

njrat hacked evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njrathackedevasiontrojan

behavioral2

njrathackedevasiontrojan