njrat | f51422da0c91f9c2dcd1e87e61f0a59f64cd71915a006fd83f67be96e8cd31a5 | Triage

Sharing

General

Target

ImmortaLFort.rar
Size

11.5MB
Sample

240419-1s4jyshd3t
MD5

0e7c7aa36ec5edf8a42cd9ca5b68bd06
SHA1

457c6d05f7289ab90590d9ec3fc84b6b2f0a97a6
SHA256

f51422da0c91f9c2dcd1e87e61f0a59f64cd71915a006fd83f67be96e8cd31a5
SHA512

e265e7f7ba57d90ff24c06af66e769cc2ed1c894f9aad05e75aae7d2281f672da3966950f016a6124eac12d903df0b0d7562cd8f151b9e8f334b2760f451444b
SSDEEP

196608:iZ6TK8TtLDMZ9w0Ls+xpTtRg5zEFhsk1T9urdYE7tRPYA+tzNY2hixKXl/4lxk:iZ6tTtLDA7xpT5hv+RkpAK1/4bk

Score

10^/10

njrat mrsvch0st persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

MrSvch0st

C2

127.0.0.1:1337

Mutex

notpad.exe

Attributes

reg_key
notpad.exe
splitter
|Ghost|

Targets

- Target
  
  ImmortaL/launcherimortal.exe
- Size
  
  8.0MB
- MD5
  
  27e834cd6f7f5f0d56a8c1f50d7c8ec9
- SHA1
  
  edb4639e5b684ecc1a0d0b5676a890a58656c6e8
- SHA256
  
  850be50676a9696f263611dfce1c11fea0c3cf211fef0b9f9fccadf500135435
- SHA512
  
  3a99d21b87ad47801ee8fb81b90570daaac4d0f771963dab0c7f1b9e848e05b89a57b4c7e90d8753dc56cefcef4f5f8a122c12b1f51cfbb950e848f408b74087
- SSDEEP
  
  49152:RTWfqjVmnGoZCIKmqeinNEn3JKaBZfeYy9VwjwXzl4V4Tu0sYDcXYTWfMsoPRfjd:KxHnaeiQ7BZG39
Score

10^/10

njrat mrsvch0st persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

njratmrsvch0stpersistencetrojan