njrat | f16873bf7953ec4a08c62a32dc6365c8a74303c09c723f4548e2ea3452eb0bbc | Triage

Sharing

General

Target

a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Size

23KB
Sample

230901-yay6eahe56
MD5

a65150c7e6a1470efdeb95b92e40a5ea
SHA1

0e876d2c5da0ce4f7887af1f1b48272c13aaf3ec
SHA256

f16873bf7953ec4a08c62a32dc6365c8a74303c09c723f4548e2ea3452eb0bbc
SHA512

a29eb17ff452f54dc0f273114c769f64bcf8aadcf129cc49555905120c7cdb58a8ce06e77852414782c84c2b13cf9118095e5985e33910b655db0c603e228312
SSDEEP

384:upc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZAz:ube9EJLN/yRpcnuF

Score

10^/10

njrat lammer evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

0.tcp.sa.ngrok.io:19096

Mutex

27f71527bed7617b3e2e3f3ed8ecf225

Attributes

reg_key
27f71527bed7617b3e2e3f3ed8ecf225
splitter
|'|'|

Targets

- Target
  
  a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
- Size
  
  23KB
- MD5
  
  a65150c7e6a1470efdeb95b92e40a5ea
- SHA1
  
  0e876d2c5da0ce4f7887af1f1b48272c13aaf3ec
- SHA256
  
  f16873bf7953ec4a08c62a32dc6365c8a74303c09c723f4548e2ea3452eb0bbc
- SHA512
  
  a29eb17ff452f54dc0f273114c769f64bcf8aadcf129cc49555905120c7cdb58a8ce06e77852414782c84c2b13cf9118095e5985e33910b655db0c603e228312
- SSDEEP
  
  384:upc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZAz:ube9EJLN/yRpcnuF
Score

10^/10

njrat evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

njratevasiontrojan

behavioral2

njratevasiontrojan