njrat | 08ca2a32d6a27de1f07a164ed5211b0925d6c714202d6904b14e5762cb1c1598 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

00d890597737c64604fb99cac1123f82
Size

355KB
Sample

231229-xdz2faged7
MD5

00d890597737c64604fb99cac1123f82
SHA1

b8feac01b11cd9d1acfb763dd98e13a92bb2f62c
SHA256

08ca2a32d6a27de1f07a164ed5211b0925d6c714202d6904b14e5762cb1c1598
SHA512

57fe7b2ab28af4ec2c10e88ae4eae3e088dbf6a7aedb1d2637aba0f1570bdf3a11fc62a8423a018430385ba99da10297b3491a5d71ade4524cf5d9e0c4276e15
SSDEEP

6144:67n3TGxj+ICAvuXZ9XLoReFCGl7Lhl2UBsE2nHlsYs8kQ8WLFYl5Xtn1CAfTrLbl:673Twj+ICysZ902JLz2LE2HlVs8b6vXB

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

bishkek931.ddns.net:4872

Mutex

a013db6448ce7b1492a55b34d57926a8

Attributes

reg_key
a013db6448ce7b1492a55b34d57926a8
splitter
|'|'|

Targets

- Target
  
  00d890597737c64604fb99cac1123f82
- Size
  
  355KB
- MD5
  
  00d890597737c64604fb99cac1123f82
- SHA1
  
  b8feac01b11cd9d1acfb763dd98e13a92bb2f62c
- SHA256
  
  08ca2a32d6a27de1f07a164ed5211b0925d6c714202d6904b14e5762cb1c1598
- SHA512
  
  57fe7b2ab28af4ec2c10e88ae4eae3e088dbf6a7aedb1d2637aba0f1570bdf3a11fc62a8423a018430385ba99da10297b3491a5d71ade4524cf5d9e0c4276e15
- SSDEEP
  
  6144:67n3TGxj+ICAvuXZ9XLoReFCGl7Lhl2UBsE2nHlsYs8kQ8WLFYl5Xtn1CAfTrLbl:673Twj+ICysZ902JLz2LE2HlVs8b6vXB
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

evasionpersistence