njrat | 233542a5a45357568fc6cd9d4559362afcefa19291617e0995a195586f4bd2f8 | Triage

Sharing

General

Target

233542a5a45357568fc6cd9d4559362afcefa19291617e0995a195586f4bd2f8
Size

16KB
Sample

240419-vasf3sae5z
MD5

806576467b51c792f7a5e0b3b03dda38
SHA1

d259459ddb4fdeef98599644b67b81782154075d
SHA256

233542a5a45357568fc6cd9d4559362afcefa19291617e0995a195586f4bd2f8
SHA512

05246bd0e98ec0fd5e0f0c36edec878fabfd8480d9153966d6f29650df7c8baf01164e1e5e20e34cb1bd38ec90afca96eb53df315561c34c83971138ddf0be19
SSDEEP

384:Oq26/zPZuj5+lFV086o4hODRYoftWUD9bK9jnL+hwHLZWPoF9Prfagoz:Oq17PYj5+lFGdhQ3RuL+hwHL3M3z

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

5.tcp.eu.ngrok.io:11024

Mutex

886e4e6cf55be20a7d674097273f111d

Attributes

reg_key
886e4e6cf55be20a7d674097273f111d
splitter
|'|'|

Targets

- Target
  
  6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
- Size
  
  37KB
- MD5
  
  871722db5b9b702357b675e48e491193
- SHA1
  
  ec5cf5b57414fa8253a842bb06fc6822b85e399d
- SHA256
  
  6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8
- SHA512
  
  9757a9bfc13b23a30590dfc145f837c22fffad56f1c47ca7354ddded78c8afc2418b0a5ce0f0add6aaf59354355577141a1b05115b8faf5d978445570a58b478
- SSDEEP
  
  384:GstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzXIf:5tiHpR9Ef7JsQCFiArM+rMRa8NuCFt
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

evasionpersistence