NjRAT | 威胁等级: high | 类型: RAT

加密标识符

SHA256c706f26e9415008e1a59ae096932524bf0235a8fd003d476c2fb6a1684fa3070
MD554a357601a27f1d140a46df93f8ff3cf
文件类型exe
大小953.0 KB
首次发现2026-03-01
文件名Not a rat.exe
标签exe, NjRAT

恶意软件家族: NjRAT

NjRAT, Orta Doğu'da yaygın RAT'tır.

类型RAT
编程语言VB.NET
目标平台Windows
C2 协议TCP
用途Uzaktan erişim, tuş kaydı
首次发现年份2012
别名Bladabindi

威胁指标 (IOC)

  • SHA256: c706f26e9415008e1a59ae096932524bf0235a8fd003d476c2fb6a1684fa3070
  • MD5: 54a357601a27f1d140a46df93f8ff3cf

系统清理指南

  1. 将系统从网络断开——拔掉网线,关闭 Wi-Fi
  2. 在任务管理器中结束可疑进程
  3. 使用 Malwarebytes 或 Kaspersky 进行全盘扫描
  4. HKCU\Software\Microsoft\Windows\CurrentVersion\Run kayıtlarını kontrol edin
  5. 在任务计划程序中检查新建的计划任务
  6. 使用未感染的设备更改所有账户密码
  7. Gerekirse Windows'u yeniden yükleyin ve verilerinizi temiz bir yedeğe geri alın

YARA 规则提示

rule NjRAT_SHA256 {
    meta:
        description = "NjRAT sample: c706f26e9415008e"
        threat_level = "high"
        first_seen = "2026-03-01"
    condition:
        hash.sha256(0, filesize) == "c706f26e9415008e1a59ae096932524bf0235a8fd003d476c2fb6a1684fa3070"
}

NjRAT — 恶意软件档案

njRAT Bladabindi. Spanish cotizacion lure. get_Panel1 C2 panel. MENA + Latin America targeting.

恶意软件类型
RAT
编程语言
VB.NET
C2协议
TCP (varsayilan port 1177)
目标系统
Windows
别名 (AKA)
Bladabindi, H-Worm, houdini

技术细节

TCP port 1177 (varsayilan), XOR tabanlı iletisim sifreleme, .NET Framework 2.0+, Mutex: {GUID}, Registry Run key persistence, Keylogger (GetAsyncKeyState), clipboard monitor, screenshot, remote shell, remote camera

归因 / 威胁行为者

Arap dilli siber suc topluluklari, en cok MENA (Orta Dogu ve Kuzey Afrika) bolgesindeki gruplar. Yasama savasi donemi Suriyeli gruplar tarafindan da kullanilmistir.

能力与行为

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC列表 (25 个指标)

IOC — NjRAT
# SHA256 c706f26e9415008e1a59ae096932524bf0235a8fd003d476c2fb6a1684fa3070 # MD5 54a357601a27f1d140a46df93f8ff3cf # IP 185.176.27.250 # IP 146.70.124.85 # IP 62.197.162.218 # IP 92.204.160.114 # IP 5.252.22.90 # IP 91.215.85.53 # IP 185.252.148.78 # IP 91.121.146.89 # DOMAIN njrat-c2-2025.ddns.net # DOMAIN bloopblast.no-ip.biz # DOMAIN njstudio.myftp.biz # DOMAIN njrat-builder-online.ru # MUTEX 5XmUuN0Gzh_mutex # MUTEX njrat_unique_2kxpw3 # MUTEX e # MUTEX Hacked # REGISTRY HKCUSoftwareMicrosoftWindowsCurrentVersionRun j # REGISTRY HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun j # REGISTRY HKCUSoftwareMicrosoftWindowsCurrentVersionRunHost Process # FILEPATH %TEMP%server.exe # FILEPATH %APPDATA%MicrosoftWindowsStart MenuProgramsStartup[random].exe # FILEPATH %APPDATA%RoamingWindows Host Processwinhostservice.exe # EMAIL njrat-builder@protonmail.com
类型备注
sha256 c706f26e9415008e1a59ae096932524bf0235a8fd003d476c2fb6a1684fa3070
md5 54a357601a27f1d140a46df93f8ff3cf
ip 185.176.27.250 C2:1177
ip 146.70.124.85 C2:5552
ip 62.197.162.218 C2:4444
ip 92.204.160.114 C2:1177
ip 5.252.22.90 NjRAT aktif C2
ip 91.215.85.53 NjRAT C2 Rusya
ip 185.252.148.78 C2:9090
ip 91.121.146.89 C2:9999
domain njrat-c2-2025.ddns.net NjRAT dynamic DNS C2
domain bloopblast.no-ip.biz NjRAT No-IP free DNS C2
domain njstudio.myftp.biz NjRAT FTP-style DNS C2
domain njrat-builder-online.ru NjRAT builder satis sitesi
mutex 5XmUuN0Gzh_mutex NjRAT Lime Edition 2025 mutex
mutex njrat_unique_2kxpw3 NjRAT standart mutex - VB string literal
mutex e NjRAT default mutex
mutex Hacked NjRAT Hacked mutex
registry HKCUSoftwareMicrosoftWindowsCurrentVersionRun j NjRAT autorun key
registry HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun j NjRAT system autorun
registry HKCUSoftwareMicrosoftWindowsCurrentVersionRunHost Process NjRAT persistence - host process taklidi
filepath %TEMP%server.exe NjRAT common drop path
filepath %APPDATA%MicrosoftWindowsStart MenuProgramsStartup[random].exe NjRAT startup persistence
filepath %APPDATA%RoamingWindows Host Processwinhostservice.exe NjRAT sahte Windows process
email njrat-builder@protonmail.com NjRAT builder e-posta

C2服务器 (该家族共有 8 台已记录服务器)

地址 类型 端口 协议 状态 国家
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
comodoca.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
comodoca.com domain — TCP active —
microsoft.com domain — TCP active —

C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。

标签
njratratmalwarehighsha256analizzenginleştirilmiş