njrat | 6411785178d40974b991439a952a8cd7e9b6a1eaaa9b1d6aca9e943cb60a042a | Triage

Sharing

General

Target

ll.exe
Size

27KB
Sample

230514-em7tjach6t
MD5

de5753b925342fff90f2dcf81c6d9cb0
SHA1

2bb8299a7849fde1ab469d5f15b99fcca0353ab2
SHA256

6411785178d40974b991439a952a8cd7e9b6a1eaaa9b1d6aca9e943cb60a042a
SHA512

aaaf3fd9eb379f7cbbc66eb726e281fc2ff7195b65586617e01b7377b7b7beae1cbf83e63b3c4238cfe94dd712beb617a9534529f0618311deabc1eb7555c8be
SSDEEP

384:yLplYHHeIYTzRRcbg8iEPrthZMVAQk93vmhm7UMKmIEecKdbXTzm9bVhcah6gr6s:sfZxRm8VA/vMHTi9bD

Score

10^/10

njrat victem persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

Victem

C2

paul-positive.at.ply.gg:9693

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  ll.exe
- Size
  
  27KB
- MD5
  
  de5753b925342fff90f2dcf81c6d9cb0
- SHA1
  
  2bb8299a7849fde1ab469d5f15b99fcca0353ab2
- SHA256
  
  6411785178d40974b991439a952a8cd7e9b6a1eaaa9b1d6aca9e943cb60a042a
- SHA512
  
  aaaf3fd9eb379f7cbbc66eb726e281fc2ff7195b65586617e01b7377b7b7beae1cbf83e63b3c4238cfe94dd712beb617a9534529f0618311deabc1eb7555c8be
- SSDEEP
  
  384:yLplYHHeIYTzRRcbg8iEPrthZMVAQk93vmhm7UMKmIEecKdbXTzm9bVhcah6gr6s:sfZxRm8VA/vMHTi9bD
Score

10^/10

njrat victem persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njratvictempersistencetrojan