njrat | 2d8c76c2bbd7c5a00595ff4e870d1b4009006bb7befd48258d9c8859e440cc28 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

0b896479ef3f0a0462f48320a3ef16c5.exe
Size

25KB
Sample

230508-z1tt2scg46
MD5

0b896479ef3f0a0462f48320a3ef16c5
SHA1

2f5dc4481c5252643f8528e6f20950e8edcfbc5f
SHA256

2d8c76c2bbd7c5a00595ff4e870d1b4009006bb7befd48258d9c8859e440cc28
SHA512

9de1f95a8776719ce3ebfef3d2fade370d27efffdc2ed3e46ea83fde3d3aff7bff21a33c80052d6c5b460c5b65f5c69c121d6a4625e8d7cd77195472ec9a2ba3
SSDEEP

384:sv3ZIKmJWLbkgo90gryXYEQk+ghFNWOek56RZKNASpvKe0:svp8JWMgMzqYEtMY0QFce0

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

5.tcp.eu.ngrok.io:13736

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  0b896479ef3f0a0462f48320a3ef16c5.exe
- Size
  
  25KB
- MD5
  
  0b896479ef3f0a0462f48320a3ef16c5
- SHA1
  
  2f5dc4481c5252643f8528e6f20950e8edcfbc5f
- SHA256
  
  2d8c76c2bbd7c5a00595ff4e870d1b4009006bb7befd48258d9c8859e440cc28
- SHA512
  
  9de1f95a8776719ce3ebfef3d2fade370d27efffdc2ed3e46ea83fde3d3aff7bff21a33c80052d6c5b460c5b65f5c69c121d6a4625e8d7cd77195472ec9a2ba3
- SSDEEP
  
  384:sv3ZIKmJWLbkgo90gryXYEQk+ghFNWOek56RZKNASpvKe0:svp8JWMgMzqYEtMY0QFce0
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2