njrat | 153474a421555efec96bb2a8916c487831cbf7f7bdc2b0d38a8195927d44328c | Triage

Sharing

Copy URL Twitter E-mail

General

Target

153474a421555efec96bb2a8916c487831cbf7f7bdc2b0d38a8195927d44328c
Size

11KB
Sample

240419-v8my9abf9x
MD5

d4fc31567a36d5fb4ef75f83e8236cdb
SHA1

8e56bce590fc291f8f58b641797e1e42ede59d67
SHA256

153474a421555efec96bb2a8916c487831cbf7f7bdc2b0d38a8195927d44328c
SHA512

36edcb83d12ecee600704fb547cb0815717b15397ff13705554fc5557efe897596811132f24cb17587f78a6d130a172be274b68b50b05bbaf618659b6078c4fe
SSDEEP

192:moCuzlnPbRLMsbNO3Dvook9JsphA3RY6qTYZXhTHDbmpZPSuzSVtJ2eV5f50Ik8L:3CuzhPb9TbNO3DwoIJsHA3RY7QXhEZjc

Score

10^/10

njrat hacked by jmrh evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked by JmRh

C2

0.tcp.eu.ngrok.io:15422

Mutex

255adf5996e3bf23b41adff1252970bf

Attributes

reg_key
255adf5996e3bf23b41adff1252970bf
splitter
|'|'|

Targets

- Target
  
  4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe
- Size
  
  23KB
- MD5
  
  26f75dde198f77866dbc6167cc101f2d
- SHA1
  
  056d49fc62c8ce9efcedf4ea3e4b8b357e3a23f9
- SHA256
  
  4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31
- SHA512
  
  a42ca275b2f6ea334adab73a63adef6da64acb8b1663b3658d33c21f187ac1e0ec1cbe2d5b935c1c0c8da024979bf57ff2abc6b610b74aec956ed66a615ba77d
- SSDEEP
  
  384:D3gexUw/L+JrgUon5b9uSDMwT9Pfg6NgrWoBYi51mRvR6JZlbw8hqIusZzZ5Hoz:7IAKG91DP1hPRpcnukW
Score

10^/10

njrat hacked by jmrh evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

hacked by jmrhnjrat

behavioral1

njrathacked by jmrhevasionpersistencetrojan

behavioral2

njrathacked by jmrhevasionpersistencetrojan