njrat | 25153d8cd34517f57076e5085ce6f6fa4d8a2f0475762c473d7436248a11d4e3 | Triage

Sharing

General

Target

18b7b51ab055f7af12a53b1d2dd63f95_JC.bin
Size

16KB
Sample

230901-xbz9esha98
MD5

a3059c0aabf272cf685be59a621a766a
SHA1

193b1af4214417ed669bb61545a4e652f7ce2249
SHA256

25153d8cd34517f57076e5085ce6f6fa4d8a2f0475762c473d7436248a11d4e3
SHA512

d3a4a309bcfab2954e58ebbcd45dc082d95e285e102af6fd045b708133474e8651a53f422d7c533ff404f2ec447a35df88f2d677efe163fb6de0b7d6ab1094a0
SSDEEP

384:UlnptTgbBJh1p7dIJPFBJ2Wq9D1p/24mmml/GD4t4mro3:U9ptTgp1RdIJZ5qD/rmmmlODm4p3

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

147.185.221.16:33087

Mutex

0475d37e6183d457eda0a2896dbf2265

Attributes

reg_key
0475d37e6183d457eda0a2896dbf2265
splitter
|'|'|

Targets

- Target
  
  04b83cfb61645ef6aed2768b17841cad50bc34d31ac4c8311fae8a6038b23cb6.exe
- Size
  
  37KB
- MD5
  
  18b7b51ab055f7af12a53b1d2dd63f95
- SHA1
  
  c287aaccf3d40d08fce75a85932a6f8dcdc72565
- SHA256
  
  04b83cfb61645ef6aed2768b17841cad50bc34d31ac4c8311fae8a6038b23cb6
- SHA512
  
  5cfb295a3cdcabc2954133b0763caee6d70e918b76f3fde63148ddcf978e8c0ac73b56ed47afd5725c851c0d034e407634b47b87999e422376a09acce817ff48
- SSDEEP
  
  384:Z3Gwkfsgwi+Jx3+j/NSyszkoAXVs3G6aBrAF+rMRTyN/0L+EcoinblneHQM3epzk:Npkk/CNhszkoA+26OrM+rMRa8Nu+ht
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njrathackedevasionpersistencetrojan