njrat | f4f4a763572c82d7e96673adf3d70f6524a2aec4c516db807ce154bdeb1a2237 | Triage

Sharing

General

Target

2583aa32ddaa50284a8d001a68696a00_NeikiAnalytics.exe
Size

7.9MB
Sample

240525-l8py6sdc2s
MD5

2583aa32ddaa50284a8d001a68696a00
SHA1

e5924ab9a1b0ff6ee9939f92b84552a521f70dca
SHA256

f4f4a763572c82d7e96673adf3d70f6524a2aec4c516db807ce154bdeb1a2237
SHA512

d94c24fdc2008e6fe0cc4eb97f487b638dbb8cb0b7611120a643b41c77bbfa00e49fb15df7c03ce61c782f0b7f628647ed686b57615be17b32457181fc9b6243
SSDEEP

196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCb2:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmy

Score

10^/10

njrat jjj evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes

reg_key
e936a10f968ac948cd351c9629dbd36d
splitter
|'|'|

Targets

- Target
  
  2583aa32ddaa50284a8d001a68696a00_NeikiAnalytics.exe
- Size
  
  7.9MB
- MD5
  
  2583aa32ddaa50284a8d001a68696a00
- SHA1
  
  e5924ab9a1b0ff6ee9939f92b84552a521f70dca
- SHA256
  
  f4f4a763572c82d7e96673adf3d70f6524a2aec4c516db807ce154bdeb1a2237
- SHA512
  
  d94c24fdc2008e6fe0cc4eb97f487b638dbb8cb0b7611120a643b41c77bbfa00e49fb15df7c03ce61c782f0b7f628647ed686b57615be17b32457181fc9b6243
- SSDEEP
  
  196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCb2:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmy
Score

10^/10

njrat jjj evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratjjjevasionpersistencetrojan

behavioral2

njratjjjevasionpersistencetrojan