njrat | 723d4e16788b240cd61087fe9b70d3f6e60117d0b7af0e242457a77541e277ce | Triage

Sharing

General

Target

dobro.exe
Size

151KB
Sample

230630-m1zn3shh5s
MD5

a443234e456bbc4a78605ab336e7d7f6
SHA1

3ce499b7866a684755ae6b38980438719bff784b
SHA256

723d4e16788b240cd61087fe9b70d3f6e60117d0b7af0e242457a77541e277ce
SHA512

4fdfb874d9db98058709ce72bb7ca8b9dad2307f168ee2aae225ecc26fec33f5c41ceaa67d61ad6617181ccb85a237283e75cb6f43a74051155ec8c0d7fdbcd1
SSDEEP

3072:klgjq8s+yJueAjVd1nut+uV2mTVDjFwkWl176jZ1hCagdgvPW:WgjqARVdRQ/vqkg1gEagdgH

Score

10^/10

njrat hacked_crosss evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed_CrosSs

C2

5.101.21.20:1555

Mutex

4742a84879c01b0661392ad95615a345

Attributes

reg_key
4742a84879c01b0661392ad95615a345
splitter
|'|'|

Targets

- Target
  
  dobro.exe
- Size
  
  151KB
- MD5
  
  a443234e456bbc4a78605ab336e7d7f6
- SHA1
  
  3ce499b7866a684755ae6b38980438719bff784b
- SHA256
  
  723d4e16788b240cd61087fe9b70d3f6e60117d0b7af0e242457a77541e277ce
- SHA512
  
  4fdfb874d9db98058709ce72bb7ca8b9dad2307f168ee2aae225ecc26fec33f5c41ceaa67d61ad6617181ccb85a237283e75cb6f43a74051155ec8c0d7fdbcd1
- SSDEEP
  
  3072:klgjq8s+yJueAjVd1nut+uV2mTVDjFwkWl176jZ1hCagdgvPW:WgjqARVdRQ/vqkg1gEagdgH
Score

10^/10

njrat hacked_crosss evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

hacked_crosssnjrat

behavioral1

njrathacked_crosssevasiontrojan

behavioral2

njrathacked_crosssevasiontrojan