njrat | 868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d | Triage

Sharing

General

Target

868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
Size

180KB
Sample

230605-wlv7saaf4v
MD5

4f333b5a74e464d8fd46fe49bedc760e
SHA1

110588bfa2559e700564af03db5cf851be5ac3d3
SHA256

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d
SHA512

5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf
SSDEEP

3072:AK3fycY2pTpIb42etB/RpH5pXZOaXqmmgDXnkUrsK0GEx4FvPA+LjpgKab8iPt9G:9r9GE7PH3XZ84kUuVxG7Hpg3f9dO+

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:5505

Mutex

Runtime Broker.exe

Attributes

reg_key
Runtime Broker.exe
splitter
|Ghost|

Targets

- Target
  
  868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
- Size
  
  180KB
- MD5
  
  4f333b5a74e464d8fd46fe49bedc760e
- SHA1
  
  110588bfa2559e700564af03db5cf851be5ac3d3
- SHA256
  
  868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d
- SHA512
  
  5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf
- SSDEEP
  
  3072:AK3fycY2pTpIb42etB/RpH5pXZOaXqmmgDXnkUrsK0GEx4FvPA+LjpgKab8iPt9G:9r9GE7PH3XZ84kUuVxG7Hpg3f9dO+
Score

10^/10

njrat hacked persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2