njrat | 5236fb4550f6a44d270227ef18dc6e06873e30181c3f30932dc5a117ab2a539a | Triage

Sharing

General

Target

b074e0cc3c448376b30b4f65805bb368.bin
Size

25KB
Sample

230723-ch6dssde8s
MD5

06105c62f8b9a72527f5c9e876205013
SHA1

9dd21f46e65de3fef8e06310238c5c0fa767e5b4
SHA256

5236fb4550f6a44d270227ef18dc6e06873e30181c3f30932dc5a117ab2a539a
SHA512

9c2bae5e0f95973a2950434f509696324793247100c29d74768a8fb2b20e1609ccf91a2a59e791f8fef36ba2d23dab72488c24e1843e338d296f8343e26f6b69
SSDEEP

768:U+dcvI3ruzjRxQFDrmBL3dT66ABK/NqaSn:U+iCy/RxcrmBL3dTAKi

Score

10^/10

njrat telegram evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Telegram

C2

0.tcp.sa.ngrok.io:11552

Mutex

11a5bc89b304534ead07ff50b25ffb52

Attributes

reg_key
11a5bc89b304534ead07ff50b25ffb52
splitter
|'|'|

Targets

- Target
  
  d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe
- Size
  
  208KB
- MD5
  
  b074e0cc3c448376b30b4f65805bb368
- SHA1
  
  f6f2c8e3d3066d72087aaab74c28a905a44858af
- SHA256
  
  d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277
- SHA512
  
  3e1cbf1ffa14614cb169e819bae5bdcbe54d96db3cea418c9e904af25d0d8bdf0b02a2e95d8ed2223a6e7e3e26336462327b4f54a9b94ef1c3f9c381583e4402
- SSDEEP
  
  384:3DVUq67iFRNItImlQNYlEi0jWro5kqNKk1d7U33r+Y7DTP6juEfU5PZQhht1XKvO:3pUZ7iFfuITm+5LdqHSjumT6vmp+BIl
Score

10^/10

njrat telegram evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njrattelegramevasionpersistencetrojan

behavioral2

njrattelegramevasionpersistencetrojan