njrat | 6a17f0d20077d64698dffc77c44dc3a12b86b653375d3adb1f03ad274190a4d8 | Triage

Sharing

General

Target

Server.exe
Size

93KB
Sample

240428-n5z13sfe5v
MD5

b7071a1008ce755ea1d9d49573bbd8af
SHA1

e9221352026922a6935de37d811af499cf7cec06
SHA256

6a17f0d20077d64698dffc77c44dc3a12b86b653375d3adb1f03ad274190a4d8
SHA512

fd861c92d33cf79d7ca73cbe0d05035048c6efb6f12c05f6b00f52e5a0c4089d672a2b8a5889252df42bbc090fda11540c7d10783af095f3da3938dba3d8d828
SSDEEP

1536:JgZC+xhUa9urgOBPRNvM4jEwzGi1dDfDGgS:JgJUa9urgObdGi1dPr

Score

10^/10

njrat hacked evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

0.tcp.eu.ngrok.io:10266

Mutex

c0edef3577d11ff8fc907a7e196a399a

Attributes

reg_key
c0edef3577d11ff8fc907a7e196a399a
splitter
|'|'|

Targets

- Target
  
  Server.exe
- Size
  
  93KB
- MD5
  
  b7071a1008ce755ea1d9d49573bbd8af
- SHA1
  
  e9221352026922a6935de37d811af499cf7cec06
- SHA256
  
  6a17f0d20077d64698dffc77c44dc3a12b86b653375d3adb1f03ad274190a4d8
- SHA512
  
  fd861c92d33cf79d7ca73cbe0d05035048c6efb6f12c05f6b00f52e5a0c4089d672a2b8a5889252df42bbc090fda11540c7d10783af095f3da3938dba3d8d828
- SSDEEP
  
  1536:JgZC+xhUa9urgOBPRNvM4jEwzGi1dDfDGgS:JgJUa9urgObdGi1dPr
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2