Trojan:Win64/NjRat.NEBG!MTB

Trojan:Win64/NjRat.NEBG!MTB employs multi-layered techniques for infection, persistence, and evasion. Initial compromise often occurs through weaponized email attachments or compromised pirated commercial software, with recent variants using DLL sideloading via legitimate binaries like explorer.exe. Once launched, the trojan copies itself to %AppData%\Roaming\[RandomFolder]\[RandomName].exe and establishes persistence through Windows registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and scheduled tasks triggering every 15 minutes.  

To evade detection, it terminates antivirus software using taskkill, disables Windows Defender via registry modification (DisableAntiSpyware = 1), and bypasses User Account Control (UAC) by exploiting eventvwr.exe and mmc.exe registry paths. Command and control (C2) communication occurs over TCP ports 5555, 9001, or 9898, often routed through dynamic DNS providers like duckdns[.]org or tunneling services like ngrok[.]io. Data exfiltration employs XOR or RC4 encryption, while keylogged content is stored in registry keys labeled [kl] or temporary files like %Temp%\~KL.tmp. A destructive variant overwrites the Master Boot Record (MBR) rendering infected Windows devices unbootable. It also spreads via USB devices by copying itself to removable drives and creating infectious shortcuts. 

Process anomalies include duplicate svchost.exe instances running under user accounts or unrecognized executables in %AppData%\Roaming\Microsoft\. System artifacts include unauthorized registry edits, new scheduled tasks named "WindowsUpdater," and modifications to the Windows hosts file located in C:\Windows\System32\drivers\etc\hosts. Advanced symptoms encompass webcam or microphone activation without consent, and browser credential theft. 

Trojan:Win64/NjRat.NEBG!MTB drops the following files: 

• %Temp%\sc.dll (screenshots) 
• %Temp%\kl.dll (for keylogging binary) 
• Files that pretend to be .pdf but are actual .exe files when File Explorer is set to hide filename extension. 
• %Public%\Documents\MediaPlayer.exe 
• %Temp%\Log.tmp (stores keystrokes) 
• %Temp%\~DF842C.tmp (additional binary components) 
• %AppData%\svchos.exe (misspelled to pretend as svchost.exe, the legitimate Windows system file)  

It also modifies the below processes: 

• eventvwr.exe  
• mmc.exe  

Modifies the following registry keys: 

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy (Adds rule: "Allow njRAT" preventing inbound/outbound blocks) 
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (Adds entry: "Windows Media Player" = "%AppData%\svchos.exe") 
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (Sets "Hidden"=1 and "ShowSuperHidden"=1 to hide files) 

Connects to the following URLs: 

• pastebin[.]com/rw/770qPDMt 
• duckdns[.]org  
• pastebin[.]com/raw/8DEsZn2y 
• ngrok[.]io 
• pastebin[.]com/raw/LKRwaias 
• pastebin[.]com/raw/zHLUaPvW 
• nbw49tk2-25505[.]euw[.]devtunnels[.]ms 
• pastebin[.]com/raw/JMkdgr4h 
• nbw49tk2-27602[.]euw[.]devtunnels[.]ms 
• pastebin[.]com/raw/VbSn9AnN 

Hosts NjRat communicates to: 

• 61[.]240.145[.]3 
• 61[.]240.145[.]4 
• 61[.]240.145[.]5 

Using the following ports: 

• 1050 
• 1122 
• 1177 
• 1188 
• 1190 
• 1199 
• 12345 
• 1627 
• 3311 
• 33369 
• 3460 
• 42091 
• 5552 
• 5555 
• 5568 
• 8484 
• 8844 
• 8899 
• 9001 
• 9898 
• 991