BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
3
Global rank
20 infographic chevron month
Month rank
25 infographic chevron week
Week rank
0
IOCs

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Trojan
Type
Middle East
Origin
1 January, 2013
First seen
14 October, 2024
Last seen
Also known as
Bladabindi
Njw0rm

How to analyze njRAT with ANY.RUN

Type
Middle East
Origin
1 January, 2013
First seen
14 October, 2024
Last seen

IOCs

IP addresses
109.206.242.119
93.170.46.31
178.80.111.72
90.207.167.210
162.220.10.165
104.22.48.74
95.83.0.34
185.139.70.178
98.4.100.172
188.116.145.233
156.222.52.118
83.59.239.179
41.142.42.121
194.71.227.62
172.67.135.130
185.199.109.133
144.126.144.223
192.121.87.108
193.42.33.179
5.35.153.131
Hashes
bcabc348205057b385f0264ec79dad7795600342d69b5e8ec7690a21fa67d387
4fe08c0c8cf5c5dba28b9917de936a943d1cdc89a38e6e24048eac7ab01597fb
65b0afd97d6df9c63ce9a86b7c2c3bffd0eccea63e7af6b21e9f60e94801744e
74779ec9590871e6b8187fc69c515a6c6bc8315b66cdcd87147063f63fc9e711
9ef45711c2fe21ba10a010e42567ef71de3b92b692fdfaaeafa09cf5e1fd339e
9047ddcbf9543f15012a46ccbd905d8d967e475487148babd38ca3e0cca33da2
447b696c982eb2cda50d3e34039455ea057ee798d8e3a04f99a168ea8de8b972
8534f05581f0f42bcc545152a2b244fedeeda30a6cc8358f823f02308b72a123
bea6ca601c396f3543e020e08ab0df29ca51cea38c0dd5d0ac9463109e39fc65
2fddf1d8ebb2a9979b7cced6e546ee893c4bf04a68c75333df6c7fbf56a460f1
a6a7755bbb398e3698cc2c22e4f8b2638817ae71d842062251075067a48efd9c
7d64fe67280f00ecfbbb367003bf162d6b31fedc9d37d633b3abe61dc51eda37
db123fe95e442b56585c727f9aefb9f089189ecbc05580df6dc357f565721c71
c2768f2e91df4955e2582273ffb759e82c5a5aae4e1318b8643e011d0dd0b944
7def595a02aabef861888fc277214d238286a5b1037470b9511e085b96c343dd
39c6c9e7d9dad8be9ef93ad7e91b0950594e18a28338267d0b259d1996ad1515
1b69c4ae3c541ea875a7a467a6d7d8e4212ac4a7eb92938128174e86649b0ccf
729fa24b1934f898483a1e2de1270262f378b76be6c4390b28f43aa50345c46a
257f8ee755a73013425b6cb06d218a6031e1405cacb1195d63af713da58efa13
281f001c400ebd62ac94a3968ff88ceb75ab32845742dd093db34173018fcd45
Domains
molham.no-ip.biz
bakser.duckdns.org
spartanazul.duckdns.org
usb-drawings.gl.at.ply.gg
shfshfmohxxrexr.ddns.net
25juliook.duckdns.org
sdgsfghhg.duckdns.org
experience-cage.at.ply.gg
sanyor77.ddns.net
savioanon.ddns.net
rdxen.ddns.net
hackingdnss.duckdns.org
republic-ton.gl.at.ply.gg
ramibensab3ini.ddns.net
seucrackudokk.duckdns.org
april-symphony.gl.at.ply.gg
any-bed.gl.at.ply.gg
snowgato.duckdns.org
electros6o.ddns.net
startitit2-23969.portmap.host
URLs
http://troia23.duckdns.org:1177/
https://pastebin.com/raw/Xde8ekvN
https://pt.textbin.net/download/insdj4bhn2
https://pastes.io/download/g4enqwgps4
https://pastebin.com/raw/Hu1K7Y4W
https://pastebin.com/raw/VGGi28kN
https://pastebin.com/raw/jxx7yjgK
https://6ded-177-50-200-148.ngrok-free.app/
https://pastebin.com/raw/vZM3LPTw
https://pt.textbin.net/download/rcd5ihynxw
https://pastebin.com/raw/UgsiXFgH
https://pastebin.com/raw/YKgY3s0H
https://pastebin.com/raw/rdmzbeYW
https://pastebin.com/raw/fnugwhmF
https://pastebin.com/raw/CmJ80yPc
https://pastebin.com/raw/MiKBEm2x
https://pastebin.com/raw/LPn410Wj
https://pastebin.com/raw/GUZjvbiL
https://pastebin.com/raw/q6JvsRJz
https://pastebin.com/raw/S1HhZSCU
Last Seen at

Recent blog posts

post image
Private AI Assistant for Malware Analysis in...
watchers 930
comments 0
post image
5 Characteristics of Good Threat Intelligence...
watchers 471
comments 0
post image
New PhantomLoader Malware Distributes SSLoad:...
watchers 4045
comments 0

What is njRAT Malware?

njRAT, also called Bladabindi and Njw0rm is a remote access trojan that is used to remotely control infected machines. Because of its availability, excess of online tutorials, plenty of information, and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.

In Q2 2024, it became the third most widespread malware according to ANY.RUN's report.

General Information about njRAT

njRAT trojan is built on the .NET framework. This RAT gives hackers the ability to control the victim’s PC remotely. njRAT allows attackers to activate the webcam, log keystrokes, and steal passwords from web browsers as well as multiple desktop apps.

In addition, the malware gives hackers access to the command line on the infected machine. It allows to kill processes as well as remotely execute and manipulate files. On top of that, njRAT is capable of manipulating the system registry. When infected, Bladabindi trojan will collect several bits of information about the PC that it got into, including the name of the computer, operating system number, country of the computer, usernames, and OS version.

Also, this malware is able to target cryptocurrency wallet applications and steal cryptocurrency from PCs. For example, it is known to be able to grab bitcoins and even access credit card information which sometimes can be stored in crypto apps as a means to purchase cryptocurrency.

After infecting a computer the malware uses a variable name and copies into %TEMP%, %APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% or %windir% – a behavior not uncommon for this time of malware. It can also copy itself into <any string>.exe, to ensure that it will be activated every time the victim switches on their computer.

njRAT trojan has a few tricks up its sleeve to avoid detection by antivirus software. For example, it uses multiple .NET obfuscators to obstruct its code. Another technique that the malware uses is disguising itself into a critical process. This does not allow the user to shut it down. It also makes njRAT hard to remove from the infected PCs. Bladabindi RAT can also deactivate processes that belong to antivirus software, allowing it to stay hidden. njRAT also knows how to detect if it has been run on a virtual machine which helps the attackers to set up countermeasures against researchers.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Authors of Bladabindi are leveraging Pastebin to avoid investigation by cybersecurity researchers. njRAT downloads additional components and executes secondary-stage payloads from Pastebin. So, the malware has no need to establish a traditional command-and-control (C2) server. The Pastebin creates a pathway between njRAT infections and new payloads. With the trojan acting as a downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.

For spreading, njRAT can detect external hard drives connected via USB. Once such a device is detected, the RAT will copy itself onto the connected drive and create a shortcut.

Who created njRAT?

Creators of njRAT are members of an underground hacker community named Sparclyheason. Evidently, they have created a very popular and destructive malware. njRAT was classified as “severe” by Microsoft Malware Protection Center.

In fact, following a large malicious campaign in 2014, Microsoft shut down four million websites in an effort to filter traffic that was going through no-ip.com domains.

njRAT malware analysis

ANY.RUN allows researchers to watch the njRAT in action in an interactive sandbox simulation.

njRAT execution process graph

Figure 1: Displays the lifecycle of njRAT in a visual form as a process graph generated by ANY.RUN malware hunting service

text report of the njRAT malware analysis

Figure 2: A customizable text report generated by ANY.RUN allows to take an even deeper look at the malware and helps to share the research results

njRAT execution process

In our simulation, after njRAT got into the target device and began execution it instantly started its malicious activity. Usually, the initial file renames itself and creates a child process. Sometimes njRAT trojan injects its code into legitimate processes such as RegSvcs.exe and RegAsm.exe.

The malware also has the ability to run itself through Task Scheduler. This child process executes the main malicious activity. Such activity includes stealing information, connecting to C2 servers, and changing the autorun value in the registry to run itself when the operating system starts.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of njRAT

njRAT trojan uses quite a few attack vectors to infect its victims. For example, the malware is known to target Discord users as part of spam campaigns. In addition, leverage cracks and keygens in well-known software in order to trick users. It installs malicious packages to infect the machine.

Another known distribution method was through a compromised website that tricked users into downloading a fake Adobe product update which in turn installed njRAT malware to the PC. Bladabindi was also featured in phishing email campaigns. In this case, it was delivered to potential victims as a malicious attachment.

In October 2020 mailspam used the 'shipment tracking' theme, faking popular courier and postal services. Malicious packages contain attachments in Zip format with an encoded Visual Basic script (VBE) payload and components.

Moreover, crooks use cloud-based storage platforms more often. Attackers host malicious files there to deliver malicious software, and even use them as part of a command and control (C&C) architecture. That is why it's crucial to know general malware removal instructions and analyze viruses in a safe environment.

How to detect NJRAT using ANY.RUN?

To determine whether the sample under review is njRAT or not, you can take a look at the changes that it made in the registry. To do so, open the Advanced details of process section of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created a key with the name [kl] into the path HKEY_CURRENT_USER\Software\32_characters_and_digits, you can be sure that the given sample is njRAT.

njrat registry changes Figure 3: Сhanges made by njRAT in registry

Conclusion

The relative ease of operation, multiple tutorials on how to set up this malware, and very extensive information stealing feature set have made this RAT one of the most popular remote access trojans in the world.

Even though the peak of its activity was recorded in 2014 and targeted mostly the middle east and India, the njRAT trojan remains to be extremely popular today. This malware is known to have targeted both private and corporate victims and poses a lot of danger to internet users, especially considering that it can be delivered by packages to potential victims in several ways, and preventing infection is much harder in some cases than in others.

Even though Bladabindi malware creators have taken several steps to hinder the analysis, malware hunting services like ANY.RUN allows professionals to easily study njRAT malware samples or other RATs like Orcus RAT or WSHRAT and share the research results with the world to improve global cybersecurity.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More