njrat | c17ed1830c9f10d07c87721dc0730c058cc28b563e2615fd93be7eae76145d34 | Triage

Submit
Reports

Overview

overview

Static

static

3

5c75ff9a14...8e.exe

windows7-x64

5c75ff9a14...8e.exe

windows10-2004-x64

Sharing

General

Target

5c75ff9a14e32b1e2b494e8446f1668e
Size

3.7MB
Sample

240115-h2mcxscec9
MD5

5c75ff9a14e32b1e2b494e8446f1668e
SHA1

2fa6bcb8a28a319e41c9f0a07e347ffd20641e9a
SHA256

c17ed1830c9f10d07c87721dc0730c058cc28b563e2615fd93be7eae76145d34
SHA512

49246274856e7d82e68f50cfca5d961e3a6be01f2d3d27e45b510901edec2168d83053d05bb94d228f825796eefc9671fc12370c2c1665fe26e992934fc668b3
SSDEEP

98304:+Q97hLupbss/hAHfqeTPpmBYq9cIF4WRQFEL271NB13mX:hTuxA/qe4BYq+wRCpbzmX

Score

10^/10

njrat server evasion persistence trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5c75ff9a14e32b1e2b494e8446f1668e.exe

Resource

win7-20231215-en

njrat evasion persistence trojan vmprotect

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

5c75ff9a14e32b1e2b494e8446f1668e.exe

Resource

win10v2004-20231215-en

njrat server evasion persistence trojan vmprotect

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Server

C2

bozok3377.duckdns.org:5552

Mutex

452c71391e344a3a8cea9d88625e6b6f

Attributes

reg_key
452c71391e344a3a8cea9d88625e6b6f
splitter
|'|'|

Targets

- Target
  
  5c75ff9a14e32b1e2b494e8446f1668e
- Size
  
  3.7MB
- MD5
  
  5c75ff9a14e32b1e2b494e8446f1668e
- SHA1
  
  2fa6bcb8a28a319e41c9f0a07e347ffd20641e9a
- SHA256
  
  c17ed1830c9f10d07c87721dc0730c058cc28b563e2615fd93be7eae76145d34
- SHA512
  
  49246274856e7d82e68f50cfca5d961e3a6be01f2d3d27e45b510901edec2168d83053d05bb94d228f825796eefc9671fc12370c2c1665fe26e992934fc668b3
- SSDEEP
  
  98304:+Q97hLupbss/hAHfqeTPpmBYq9cIF4WRQFEL271NB13mX:hTuxA/qe4BYq+wRCpbzmX
Score

10^/10

njrat evasion persistence trojan vmprotect server
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

njratevasionpersistencetrojanvmprotect

behavioral2

njratserverevasionpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy