Overview

overview

10

Static

static

3

Njrat-main...a).exe

windows10-1703-x64

10

Njrat-main...a).exe

windows7-x64

7

Njrat-main...a).exe

windows10-2004-x64

8

Njrat-main...a).exe

windows11-21h2-x64

10

Njrat-main...23.exe

windows10-1703-x64

7

Njrat-main...23.exe

windows7-x64

7

Njrat-main...23.exe

windows10-2004-x64

7

Njrat-main...23.exe

windows11-21h2-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    swag-top-tier-cc.zip

  • Size

    19.4MB

  • Sample

    240526-m1enxage86

  • MD5

    0ff469bf1632b0434d593c4f5ea4fcc3

  • SHA1

    0b12515772566a94d14c315b581d65b130290507

  • SHA256

    2ce8cb36ecb4fd1fc004ac64495da7252223753658440fee143f9e6ce4b27d05

  • SHA512

    d0e1b0bc9b0210bb3618939ac439202ce7a8f9d57863b07f1ccbef1649cba08a1927604dd2122b64398e769fe9f0b88b499b679cd832257449243fba22c108f4

  • SSDEEP

    393216:Ma2Y4WsznaBmWJVEUKp4x+eOqnehPW0Q4oRET6GC4DzaC96t4vgHN8kjdvClzVya:x5eTVWJVbKpOOU0Qdy52C9Vvi2kJvqzB

Score
10/10
njrathackedevasionpersistencepyinstallerspywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

211.207.79.105:5552

Mutex

2a81185388a3eb0efef9527e7e78f7be

Attributes
  • reg_key

    2a81185388a3eb0efef9527e7e78f7be

  • splitter

    |'|'|

Targets

    • Target

      Njrat-main/NjRat 0.7D Green Edition by im523(Beta).exe

    • Size

      1.7MB

    • MD5

      2d3f9951b531061af499f324ca30f3ce

    • SHA1

      090626c1013d4e30c182cddc881ef004b7289ede

    • SHA256

      7914abca942a21058ca87cf2e19366ce41204fa1085008cb890f5853bc852b2d

    • SHA512

      e8ef728be7d9fb55b95b52e0c3e0e87d2a6e560ec5df309878b13c447e349bd2885f5fe1ef4075392bc242523fa7d74aea9607f48194cbc241a39ba04e9b03a5

    • SSDEEP

      49152:1UNixUNihxhA3333333333333QthBKthxeGlPAZwX:iiWijhA3333333333333QthIthxlPAZk

    Score
    10/10
    njrathackedevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2behavioral3behavioral4

    • Target

      Njrat-main/NjRat 0.7D Green Edition by im523.exe

    • Size

      20.2MB

    • MD5

      348c0bd0ef7201d06bf159e115aa8260

    • SHA1

      86395b0584650b9741af89ba45432558479f8111

    • SHA256

      68028a6306c0343792b73783806e45c47b3b2c332580e6dd7c14efce4571f014

    • SHA512

      6f3bedf2e8c4cb91a496dcdc371dc19839e50a0308927039e29958f49f529324f6665f0a85a1b4bc2c6c23eee493fefbee8fa2f5fcc5000a64a600caedd21203

    • SSDEEP

      393216:z3333333333333qafiI6bReDy4HRamQ0qGCgVSfF+kxAb+nwSuPf06zMrqnoZHjP:z3333333333333NfklP4HRbQ0wuzjM6m

    Score
    7/10
    persistencepyinstallerspywarestealerupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks