njrat | 161b33a3ef477f26cdc150c5ebdec32608975cd3d359c8fa1dd7576a2692cfc3 | Triage

Sharing

General

Target

1ffb2fa3515c7e076ef66f20f369a7b0_JaffaCakes118
Size

55KB
Sample

241008-gsytxsselq
MD5

1ffb2fa3515c7e076ef66f20f369a7b0
SHA1

c08a342b3aa4b1bff3312c90590ffb62a12a9d92
SHA256

161b33a3ef477f26cdc150c5ebdec32608975cd3d359c8fa1dd7576a2692cfc3
SHA512

53f78690b5e1bcfdd5b7f6329276e7c26a1b9db1808a2fa150978b2e2a857aaecde494926696c834c253696ce4a8df747f77e83f2fb979081a6a7bd174eea636
SSDEEP

1536:+JrDbIXO8mQ0kiDuvGTilECp4T5h9AGRU:cekkiCAilECyT5hc

Score

10^/10

njrat system32 discovery trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

system32

C2

no-vac.ddns.net:6522

Mutex

2bb34da73788e2e567ded296b83f1c4e

Attributes

reg_key
2bb34da73788e2e567ded296b83f1c4e
splitter
|'|'|

Targets

- Target
  
  DarkSnakeFlex.exe
- Size
  
  395KB
- MD5
  
  a6e769e192f3a302342c1eef22a16088
- SHA1
  
  92840048c6ee3811ed84e7c743f6788311182c2c
- SHA256
  
  5ac2dc6b18782e745af8a2985921dbc64b41f7b4f8a6cf4274704b18345d3dac
- SHA512
  
  88db5067ee80dc761f70cad5fce5b87d10cf737715d245ecc23350edcd4007b58f74b0672f473a8c1cf6bb2148fdd0987a6ccca09b4cb58d9f82822c877e7970
- SSDEEP
  
  1536:6vdWSVRVDlOzjRzrksAO0iN9uEH2Kj+gRJN3dOuzXz76XgnIa1QCSz7S7Nv:6MSncRzAO0i7uUv+yJtUOnI9UNv
Score

10^/10

njrat system32 discovery trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratsystem32discoverytrojan

behavioral2