njrat | cf85e39a34bf0bd5ea68402c2cea6639c273b1aaf29c99f52fe584fe73f8f49e | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f8cda53deb2dc40717f2335fe91ed31e
Size

171KB
Sample

231228-z5ynssgbam
MD5

f8cda53deb2dc40717f2335fe91ed31e
SHA1

f19dba664d3e392c45d232d1b5e0a61245cd15b8
SHA256

cf85e39a34bf0bd5ea68402c2cea6639c273b1aaf29c99f52fe584fe73f8f49e
SHA512

32c103263494c7032941a8ca281be93a8c3a9845ff92d80b7d55998c5e6d04f8d6acc0c0a5347a4145a5737a9cc827355b51459c57daa83d1c4c80e607aa155a
SSDEEP

3072:zTDzydJpvNiYZ7eLhLHYGrZrvRbZK8nHnJkCknRSF96/DQ7FPXV0QqHlC/iXWFI3:LYGRvbKaniRSFoLQ7z0QiVXgU

Score

10^/10

njrat h-worm evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

h-worm

C2

127.0.0.1:1177

Mutex

5f805e177fa7c673482c92c255460b67

Attributes

reg_key
5f805e177fa7c673482c92c255460b67
splitter
|'|'|

Targets

- Target
  
  f8cda53deb2dc40717f2335fe91ed31e
- Size
  
  171KB
- MD5
  
  f8cda53deb2dc40717f2335fe91ed31e
- SHA1
  
  f19dba664d3e392c45d232d1b5e0a61245cd15b8
- SHA256
  
  cf85e39a34bf0bd5ea68402c2cea6639c273b1aaf29c99f52fe584fe73f8f49e
- SHA512
  
  32c103263494c7032941a8ca281be93a8c3a9845ff92d80b7d55998c5e6d04f8d6acc0c0a5347a4145a5737a9cc827355b51459c57daa83d1c4c80e607aa155a
- SSDEEP
  
  3072:zTDzydJpvNiYZ7eLhLHYGrZrvRbZK8nHnJkCknRSF96/DQ7FPXV0QqHlC/iXWFI3:LYGRvbKaniRSFoLQ7z0QiVXgU
Score

10^/10

njrat h-worm evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrath-wormevasionpersistencetrojan

behavioral2

njrath-wormevasiontrojan