njrat | 3e99cae52ebb2886befe137be1d5149c4b788e2e808719172b0fabd60b56503a | Triage

Sharing

General

Target

1a3f1ea6b4b990b1c1743d13d1865a07.exe
Size

23KB
Sample

230331-xysg4acg23
MD5

1a3f1ea6b4b990b1c1743d13d1865a07
SHA1

7354d163d1c64ddb4c1ec6840951b063800ba326
SHA256

3e99cae52ebb2886befe137be1d5149c4b788e2e808719172b0fabd60b56503a
SHA512

5f8e6018a9d744f10d1b4553794a0eb59c11e95cb9ab2a3c6bea989680c49842fa64e46fef29d2741949169443ee3a0394200f1f7e263a2649c039554a9d5088
SSDEEP

384:SRMKFYuEEhERvoBG16Xuy0MHNw6Tg1Y+75JTFmRvR6JZlbw8hqIusZzZ3A:SqW4V6+yDRpcnub

Score

10^/10

njrat crossfire evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

CrossFire

C2

audiodgx.hopto.org:5552

Mutex

19cb0d51f6ccd969c2d64e6b68b1fc01

Attributes

reg_key
19cb0d51f6ccd969c2d64e6b68b1fc01
splitter
|'|'|

Targets

- Target
  
  1a3f1ea6b4b990b1c1743d13d1865a07.exe
- Size
  
  23KB
- MD5
  
  1a3f1ea6b4b990b1c1743d13d1865a07
- SHA1
  
  7354d163d1c64ddb4c1ec6840951b063800ba326
- SHA256
  
  3e99cae52ebb2886befe137be1d5149c4b788e2e808719172b0fabd60b56503a
- SHA512
  
  5f8e6018a9d744f10d1b4553794a0eb59c11e95cb9ab2a3c6bea989680c49842fa64e46fef29d2741949169443ee3a0394200f1f7e263a2649c039554a9d5088
- SSDEEP
  
  384:SRMKFYuEEhERvoBG16Xuy0MHNw6Tg1Y+75JTFmRvR6JZlbw8hqIusZzZ3A:SqW4V6+yDRpcnub
Score

10^/10

njrat crossfire evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratcrossfireevasiontrojan

behavioral2

njratcrossfireevasiontrojan