njrat | 40ecf3ec9b5ca8e87f63e95db85bc256bacad1afc564aa93382d8d80c7c9aa8b | Triage

Sharing

Copy URL Twitter E-mail

General

Target

file.exe
Size

25KB
Sample

230509-amrebsde37
MD5

630cb1c812afbc2faf6195b92a317558
SHA1

44080b81bf19e444a8e9f9c659c11b07eb4140fb
SHA256

40ecf3ec9b5ca8e87f63e95db85bc256bacad1afc564aa93382d8d80c7c9aa8b
SHA512

d0580d7e084d61e67d1163cf44887b99b14dfd06aa19ff6841321fe631e54f8c0b369106abe936633c588875ccf832c74dc80c4c599ce203aa34fb2e71687a65
SSDEEP

384:sv3ZIUmalYa/4xMq952ZZVljFn5rIjku0/yfFUWDc+e2OUrN:svpmalY552ZZV7Fobt7D92a

Score

10^/10

njrat trupashot persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

TrupAshot

C2

151.237.185.211:47736

Mutex

Java

Attributes

reg_key
Java
splitter
|Hassan|

Targets

- Target
  
  file.exe
- Size
  
  25KB
- MD5
  
  630cb1c812afbc2faf6195b92a317558
- SHA1
  
  44080b81bf19e444a8e9f9c659c11b07eb4140fb
- SHA256
  
  40ecf3ec9b5ca8e87f63e95db85bc256bacad1afc564aa93382d8d80c7c9aa8b
- SHA512
  
  d0580d7e084d61e67d1163cf44887b99b14dfd06aa19ff6841321fe631e54f8c0b369106abe936633c588875ccf832c74dc80c4c599ce203aa34fb2e71687a65
- SSDEEP
  
  384:sv3ZIUmalYa/4xMq952ZZVljFn5rIjku0/yfFUWDc+e2OUrN:svpmalY552ZZV7Fobt7D92a
Score

10^/10

njrat trupashot persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrattrupashotpersistencetrojan

behavioral2