njrat | 2825f60e7406d86bb5cbd60cb8239ef2a694f2defa6b6445df4a1a4549e17978 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a37305b16f4f9a616a44f59d749d1bad
Size

1.1MB
Sample

231222-qqfp1ahbcl
MD5

a37305b16f4f9a616a44f59d749d1bad
SHA1

971c8a3b26f94291cb3f97cc86c0158d27fb700a
SHA256

2825f60e7406d86bb5cbd60cb8239ef2a694f2defa6b6445df4a1a4549e17978
SHA512

b39c378bb471307a962c09670805793e0222d819084c4b4933c88066b0f6bdb6700fff3f22d05121e53395c97a330b1f82db2117952585a2c4080f3f58856fc9
SSDEEP

24576:aCH5N4C79zawzKkZtlmhDi25VmTI26ee3S4Q45cjdPJhTD9qDyQH:VH5B79ewtDlm825VmES85cDhTBydH

Score

10^/10

njrat windows evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

windows

C2

178.33.93.88:2353

Mutex

78a76c8b22b24e8a23742c673717db60

Attributes

reg_key
78a76c8b22b24e8a23742c673717db60
splitter
|'|'|

Targets

- Target
  
  a37305b16f4f9a616a44f59d749d1bad
- Size
  
  1.1MB
- MD5
  
  a37305b16f4f9a616a44f59d749d1bad
- SHA1
  
  971c8a3b26f94291cb3f97cc86c0158d27fb700a
- SHA256
  
  2825f60e7406d86bb5cbd60cb8239ef2a694f2defa6b6445df4a1a4549e17978
- SHA512
  
  b39c378bb471307a962c09670805793e0222d819084c4b4933c88066b0f6bdb6700fff3f22d05121e53395c97a330b1f82db2117952585a2c4080f3f58856fc9
- SSDEEP
  
  24576:aCH5N4C79zawzKkZtlmhDi25VmTI26ee3S4Q45cjdPJhTD9qDyQH:VH5B79ewtDlm825VmES85cDhTBydH
Score

10^/10

njrat windows evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratwindowsevasionpersistencetrojan

behavioral2

njratwindowsevasionpersistencetrojan