Overview

overview

10

Static

static

3

NjRat 0.7D.exe

windows10-1703-x64

10

Resubmissions

15-03-2024 02:26

240315-cwxc2sgc95 10

15-03-2024 02:16

240315-cqf4wagb79 10

15-03-2024 02:03

240315-cgx12adg9z 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NjRat.0.7D.zip

  • Size

    9.2MB

  • Sample

    240315-cwxc2sgc95

  • MD5

    6a4984809b0b295b75d8a52095a70f73

  • SHA1

    5b7fd2737d6f7c5541c17704534f7602f7465b8d

  • SHA256

    902576f7f90174513a45bc82796b82c9264a57c82c0c72b7c9bf11e7da6bba96

  • SHA512

    f54954b82b36c57604960c020e5674e413ca61a61111290c1712036d1f00175f1263967c5ce3674c5d28e606d3c06013d0d331faba24a3a1d77bd38429f22a1d

  • SSDEEP

    196608:p3uLx63wJLFj37EL6GnrrrpPFXXmwB15EiuVnaUrHBB9UB:p4x+Gj3gXrr19Gwr+aQFm

Score
10/10
njratmybotevasionspywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

127.0.0.1:6522

Mutex

60c28f2ec9c1d3d7f391e11534af955e

Attributes
  • reg_key

    60c28f2ec9c1d3d7f391e11534af955e

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      NjRat 0.7D.exe

    • Size

      8.5MB

    • MD5

      70ea9c044c9a766330d3fe77418244a5

    • SHA1

      18602d0db52917b88cbdab84ba89181e6fd4686a

    • SHA256

      b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5

    • SHA512

      5261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917

    • SSDEEP

      98304:cn9aRMDoMu2EW5nnim//7uvwCt5tuo32v:cni6nnim//7uVtF

    Score
    10/10
    njratmybotevasionspywarestealertrojanupx

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Scripting

1
T1064

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks