njrat | 1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98 | Triage

Sharing

General

Target

Server.exe
Size

43KB
Sample

240524-q2c39aga31
MD5

d263ae994c7828269ff7d3a5ec76a11b
SHA1

4c9dcda66fd3004be1b8e1eec4f397ddea9962d5
SHA256

1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98
SHA512

93051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53
SSDEEP

384:lZy46NUst+3gUy6jjHK6qEsjtJEzQIij+ZsNO3PlpJKkkjh/TzF7pWna/greT0pe:vAwQh6/H1ujGuXQ/oj3+L

Score

10^/10

njrat hacked persistence spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

19.ip.gl.ply.gg:54921

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Targets

- Target
  
  Server.exe
- Size
  
  43KB
- MD5
  
  d263ae994c7828269ff7d3a5ec76a11b
- SHA1
  
  4c9dcda66fd3004be1b8e1eec4f397ddea9962d5
- SHA256
  
  1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98
- SHA512
  
  93051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53
- SSDEEP
  
  384:lZy46NUst+3gUy6jjHK6qEsjtJEzQIij+ZsNO3PlpJKkkjh/TzF7pWna/greT0pe:vAwQh6/H1ujGuXQ/oj3+L
Score

10^/10

njrat hacked persistence trojan spyware stealer upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Scripting

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

njrathackedpersistencetrojan

behavioral2

njrathackedpersistencespywarestealertrojanupx