njrat | 12e490b358c0fa22c31181112cbef58b4636f287d586b5ffa412facd5fee3693 | Triage

Sharing

General

Target

shadowscripts.exe
Size

1.2MB
Sample

230722-xptc2acc6y
MD5

b0a79b29052cc5c816336f4b62284d9a
SHA1

fbc8b1d5abe62d281e80f469bfbc08f106ad0979
SHA256

12e490b358c0fa22c31181112cbef58b4636f287d586b5ffa412facd5fee3693
SHA512

a9aed2651024fa97164db592d835e4276e5465007c44a3cbafd305556f1b36fa966bcdf6e87cdd3d4373f9beaf32164a4dabd657a5523735511b23a55e65563a
SSDEEP

24576:8D7XBCahuVE5ocC6SC8fsXhugahBsCjz3XH8gohXdHI+1o7R:qlCa4emD6SVfmevjDH8dtHzqR

Score

10^/10

njrat stupids evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

stupids

C2

hakim32.ddns.net:2000

hands-social.at.ply.gg:46242

Mutex

d4529f156f8f79f81b02518c9cf09857

Attributes

reg_key
d4529f156f8f79f81b02518c9cf09857
splitter
|'|'|

Targets

- Target
  
  shadowscripts.exe
- Size
  
  1.2MB
- MD5
  
  b0a79b29052cc5c816336f4b62284d9a
- SHA1
  
  fbc8b1d5abe62d281e80f469bfbc08f106ad0979
- SHA256
  
  12e490b358c0fa22c31181112cbef58b4636f287d586b5ffa412facd5fee3693
- SHA512
  
  a9aed2651024fa97164db592d835e4276e5465007c44a3cbafd305556f1b36fa966bcdf6e87cdd3d4373f9beaf32164a4dabd657a5523735511b23a55e65563a
- SSDEEP
  
  24576:8D7XBCahuVE5ocC6SC8fsXhugahBsCjz3XH8gohXdHI+1o7R:qlCa4emD6SVfmevjDH8dtHzqR
Score

10^/10

njrat stupids evasion persistence spyware stealer trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratstupidsevasionpersistencespywarestealertrojan

behavioral2

njratstupidsevasionpersistencespywarestealertrojan