njrat | 82104a89b676d095f16da49490abfd6267a0eea6617d619d25416aaf423125ce

Sharing

Copy URL

Twitter E-mail

General

Target

b7dfbc58f20c398951c1278e07de68e3_JaffaCakes118
Size

313KB
Sample

240617-lchvzsvare
MD5

b7dfbc58f20c398951c1278e07de68e3
SHA1

46b6dd159fb7e31e96a27aad0dc9086cbe597877
SHA256

82104a89b676d095f16da49490abfd6267a0eea6617d619d25416aaf423125ce
SHA512

9000fb30f80c5ed7c7fa700bafe263165ae7a20f7e5f0c2c7dac2323bef6c31345abfb34685db0fd6f8a261f624c11e43eff72f4d6ee9ebf65d651e4c22bd499
SSDEEP

6144:Sx7GE55QIKeAcHAO5OlbckYkO3Q+1NA+UXLv0DgBwXoORBW267P8UD:9ELgV4F3lf/4VBuoOTW2ePL

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

awaisawan.zapto.org:5555

Mutex

3484533e95ad86b4adeee88c1907dded

Attributes

reg_key
3484533e95ad86b4adeee88c1907dded
splitter
|'|'|

Extracted

Family

revengerat

Botnet

Guest

awaisawan.zapto.org:333

Mutex

Random

Targets

- Target
  
  Requirements.scr
- Size
  
  441KB
- MD5
  
  d82b4741a531e77f34865a604f1de729
- SHA1
  
  44b7ae953c1c1c60388e7000f6a3060dddc840c0
- SHA256
  
  ca636454ca70c9c0a53cd597603cfae9138281d45b6c22015a59271be06d8885
- SHA512
  
  bc77a89ae2e9671761316f06ae405a4f325b6286066ecb3421619a17fb348bc0eeb485fa3cc653039fc542b7785d082400c2e67680f051f5ab074bee709754c5
- SSDEEP
  
  6144:snx1jC2vG03dvpMsFPDb1pijBfSKtAAFewda/RQMjhpeKqNFubV:edpVhDZwjBf3SA0wdwQMyKqix
Score

10^/10

njrat revengerat guest hacked evasion persistence trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Requirements.docx
- Size
  
  13KB
- MD5
  
  0831b8fbfb0112a869197026cfc22d0d
- SHA1
  
  644a54282a7b2a68442ece836208c8e61229c881
- SHA256
  
  a6ab401737ef183ba8dafce28e2e9737739139c61a4f7a51945324b76dd73d20
- SHA512
  
  2f9722cee67fcdee4aeaeca962612c459492df2a73601f8c40ac9e7cbf90536fbfe38c640fc2fc728da93e5cd5358931c233077e6e6d7e4c4333e3b4ed3c65ae
- SSDEEP
  
  192:TDtmpXYyx/LkMxurg+qA8XAN+BCpBgNu9NRufcoX1qDiKCcp8VmZCJHX:TDCXYyVLZ2WXA4ASNu9yc/eKCg8YZo3
Score

4^/10
behavioral3 behavioral4
- Target
  
  nj.exe
- Size
  
  459KB
- MD5
  
  03c4bd9a3cb44bf49f329fe04e93f537
- SHA1
  
  257dfb6782bc40e9878ada68f350fd8cce2179fb
- SHA256
  
  20c1815d9eecee28c6b86ac3e302756c8e4dbc5963d7d8df431e86f5d1dc41e0
- SHA512
  
  c91666311b655e3f9c213f3aa9d1d72c7610bfda227b5da0d8c5f17f56c16357f5f9224e831fe77f23ef66c8391a4a5e416d9b8f78dcc477a82a84fe5569c97c
- SSDEEP
  
  384:b16KdcoFfsOxQrSuxY8OR1XOg9rXredQ0xtX76i7eaFcwaekfLpOhqVNOXu:ddcoFLxQrS0Yv5OaXyQeV6i7fcB5fOu
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  rv.exe
- Size
  
  386KB
- MD5
  
  2602c258d3fe5647f4f039b644abeaa6
- SHA1
  
  f733131b769735c82c56dd5b3f6aef4e3cabac9b
- SHA256
  
  ab682dce500913302f75c0cccc9f049fc3fa70b16b5de99788fb9cd520f47d3d
- SHA512
  
  db0aa91cbf071fa12951a5b9eeb6610aea3917edd93465863cdeafb939cc5ac9088fee8f64e96d375a428f236bbb589953e60cef3ff50ae2697940d12eba90c6
- SSDEEP
  
  384:re6KdcoFfsOxQrSuxY8OR1XOg9rPdQ0qphKBXnMTismaFcwadkfLpOhqqSOpFC:+dcoFLxQrS0Yv5OaVQ52eisHcBKv2C
Score

10^/10

revengerat guest persistence trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

RevengeRAT

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

RevengeRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8