njrat | ecedda5e5b8289ca6a2934482d13106d0c5faa7cb5fb7b2f1685bc2cc4147f02 | Triage

Sharing

General

Target

2INJECTBYPASSBP.exe
Size

141KB
Sample

241002-gdbe3stdrd
MD5

80d2c46d0860242b374567bee889b360
SHA1

1824af121d54fb6a9f27e60177e6dfd51a1e5005
SHA256

ecedda5e5b8289ca6a2934482d13106d0c5faa7cb5fb7b2f1685bc2cc4147f02
SHA512

cfc23f37fe2ef6be6de9445bd969eb1d7edb0289aa1180f1f42ee3ef0214fc986e8ea07d458c307f09b66df387c97c3ac8e411b98c192b3f5559b8eabb3c563f
SSDEEP

3072:osSasVMY3+pWOwarL59GoPTMajtQ9RWVtoH8qDT4bfGFkGS+b03mD7XY:oBVMY3+p9l7tQKfqDTcYkFmD7X

Score

10^/10

njrat hacked defense_evasion discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:36597

Mutex

realtek.exe

Attributes

reg_key
realtek.exe
splitter
|Ghost|

Targets

- Target
  
  2INJECTBYPASSBP.exe
- Size
  
  141KB
- MD5
  
  80d2c46d0860242b374567bee889b360
- SHA1
  
  1824af121d54fb6a9f27e60177e6dfd51a1e5005
- SHA256
  
  ecedda5e5b8289ca6a2934482d13106d0c5faa7cb5fb7b2f1685bc2cc4147f02
- SHA512
  
  cfc23f37fe2ef6be6de9445bd969eb1d7edb0289aa1180f1f42ee3ef0214fc986e8ea07d458c307f09b66df387c97c3ac8e411b98c192b3f5559b8eabb3c563f
- SSDEEP
  
  3072:osSasVMY3+pWOwarL59GoPTMajtQ9RWVtoH8qDT4bfGFkGS+b03mD7XY:oBVMY3+p9l7tQKfqDTcYkFmD7X
Score

10^/10

njrat hacked defense_evasion discovery persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverypersistencetrojan

behavioral2

njrathackeddefense_evasiondiscoverypersistencetrojan