njrat | cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2 | Triage

Sharing

General

Target

cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe
Size

37KB
Sample

240123-1hg8zaagg5
MD5

e42eb443fd6bf40ef9d7f2bfc76a1acb
SHA1

467365bb0ef682d45c3f1664edd1690d89d56abc
SHA256

cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2
SHA512

64521ad80f984166efbbd2b2357678a6956b13607da080c1ca7c04d466b1f643abcecb56e89da7a69c57cf3bfbc672e441c023503d3e3ab2c410548a4c55ed11
SSDEEP

384:7R6Iiu5jtD+P3V+y0bzif2tH5ssumTErAF+rMRTyN/0L+EcoinblneHQM3epzXtq:lRmV10bzif2tSNmorM+rMRa8NubOt

Score

10^/10

njrat max evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

MAX

C2

4.tcp.eu.ngrok.io:19378

Mutex

e202c6dae1aeba28a88e7bf1cebb0c19

Attributes

reg_key
e202c6dae1aeba28a88e7bf1cebb0c19
splitter
|'|'|

Targets

- Target
  
  cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2.exe
- Size
  
  37KB
- MD5
  
  e42eb443fd6bf40ef9d7f2bfc76a1acb
- SHA1
  
  467365bb0ef682d45c3f1664edd1690d89d56abc
- SHA256
  
  cd53a1eb080ca977a40f0d2f33dea711ac0b6ed4fc0a6102fe64a2b41c91f7f2
- SHA512
  
  64521ad80f984166efbbd2b2357678a6956b13607da080c1ca7c04d466b1f643abcecb56e89da7a69c57cf3bfbc672e441c023503d3e3ab2c410548a4c55ed11
- SSDEEP
  
  384:7R6Iiu5jtD+P3V+y0bzif2tH5ssumTErAF+rMRTyN/0L+EcoinblneHQM3epzXtq:lRmV10bzif2tSNmorM+rMRa8NubOt
Score

10^/10

njrat max evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratmaxevasionpersistencetrojan

behavioral2

evasionpersistence