{
	"id": "8e7a04ef-f30d-4d5c-a9e9-cc81d591869e",
	"created_at": "2026-04-06T00:20:10.253477Z",
	"updated_at": "2026-04-10T13:12:48.002092Z",
	"deleted_at": null,
	"sha1_hash": "8c264c6278b7eb0f8754db671d114e050f46919b",
	"title": "Malware Analysis — njRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7521202,
	"plain_text": "Malware Analysis — njRAT\r\nBy 0xMrMagnezi\r\nPublished: 2024-03-19 · Archived: 2026-04-05 15:12:24 UTC\r\nnjRAT is a remote access Trojan (RAT) that allows attackers to gain unauthorized\r\naccess to a victim’s computer. It is capable of keylogging, taking screenshots, and\r\ncontrolling the victim’s webcam and microphone. It can also download and\r\nexecute additional malicious payloads.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 1 of 9\n\nFigure 1: Malware Bazaar Entry\r\nAfter downloading and extracting the zip file, I used OLEtools because I knew I was going to deal with an Office\r\nfile — specifically, a PowerPoint file.\r\nPress enter or click to view image in full size\r\nFigure 2: shows the first analysis using oleid\r\nAfter noticing the presence of Macros within the file, the tool olevba was used to gain more insight into what\r\nthose Macros are.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 2 of 9\n\nPress enter or click to view image in full size\r\nFigure 3: Observing The Macros\r\nIt was observed that this macro contains a suspicious URL linking to Pastebin. It’s also noteworthy that this macro\r\nis configured under the ‘AutoOpen’ feature, which automatically executes macros or actions when a presentation\r\nis opened.\r\nIt was decided to use curl to download the content from this URL and delve deeper into the analysis. This initial\r\nURL redirected to another URL, which contained another payload.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 3 of 9\n\nPress enter or click to view image in full size\r\nFigure 4: Downloading Stage 2 \u0026 3\r\nThe output of stage 3 contained a simple VBS obfuscated code with recognizable words such as ‘replace,’\r\n‘base64,’ ‘WScript,’ and ‘PowerShell,’ as marked in Figure 5.\r\nPress enter or click to view image in full size\r\nFigure 5: Obfuscated Stage 3 VBS code\r\nPress enter or click to view image in full size\r\nFigure 6: After Deobfuscation of the variable\r\nThis variable contained a Base64-encoded string that needed to be decoded and reversed. I decided to use\r\nCyberChef, as shown in Figures 7 and 8.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 4 of 9\n\nPress enter or click to view image in full size\r\nFigure 7 \u0026 8: Decoding from Base64 and extracting 2 URLs\r\nThose two URLs contained two different obfuscated strings, as shown in Figure 9. The obfuscation appears to be\r\nrelated to the characters: ‘↓:↓↓’.\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 5 of 9\n\nFigure 9: Obfuscated string\r\nIn the decoded output from CyberChef (Figure 8), the presence of the Replace function led me to believe that it\r\nwas related to the next stage I extracted.\r\nFigure 10: Showing the Replace Function\r\nI decided to use this replacement technique to make sense of these long strings. My initial suspicion was that these\r\ntwo strings were intended to construct a new executable file.\r\nPress enter or click to view image in full size\r\nFigure 11: Using CyberChef to decode on the First file\r\nPress enter or click to view image in full size\r\nFigure 12: Using CyberChef to decode on the second file\r\nMy suspicion was correct; the first file is a DLL, and the second one is an executable, both written in .NET.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 6 of 9\n\nFigure 13: DiE on both files\r\nThis is the final stage of the malware, as it contains the actual malicious payload.\r\nWithin the debugger, many functions related to a Keylogger and the transmission of information over a socket\r\nwere observed.\r\nFigure 14: Functions of the malware\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 7 of 9\n\nWe can also observe many of these functions, and more, using the tool PEstudio.\r\nPress enter or click to view image in full size\r\nFigure 15: Using PEstudio on the executable\r\nPress enter or click to view image in full size\r\nFigure 16: Using PEstudio on the DLL\r\nAt this point, I decided to run the malware to extract network-related IOCs.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 8 of 9\n\nFigure 17 \u0026 18: Network Communication\r\nIOCs:\r\ncefa4ebf82b3d077a68ce1933be3dc6e9cadce8bc27671a5fcd76ee2f4d04977.ppam —\r\n6175e14e465756c626ccc0f398fcdcb0\r\nstage3.vbs — edf8f50f318c20bccb889743172d9fd2\r\nout1.dll — 4b7d118b20d8854372129f53365d529f\r\nout2.exe — d189af41737b287469ca5f5589dcbdf1\r\nhxxps://pt[.]textbin[.]net/download/itm1dkgz7c\r\nhxxps://paste[.]ee/d/ESa4q/0\r\nhxxps://pt[.]textbin[.]net/download/tmo7gc3cgs\r\nhxxps://pt[.]textbin[.]net/download/igvxdijw4q\r\nhxxps://paste[.]ee/d/jtSmT/0\r\nhxxps://paste[.]ee/d/ea2Mw/0\r\nhxxps://pt[.]textbin[.]net/download/insdj4bhn2\r\nIn conclusion, the analysis of njRAT revealed a sophisticated malware strain designed for remote access and data\r\ntheft. Its initial infection vector through a malicious PowerPoint file underscores the need for caution with email\r\nattachments and files from unknown sources.\r\nGet 0xMrMagnezi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe malware’s keylogger and socket communication capabilities indicate its potential for capturing sensitive\r\ninformation and enabling remote control of infected systems. Its use of obfuscation and encoding techniques\r\nhighlights the complexity of modern malware.\r\nThis analysis underscores the ongoing threat of remote access Trojans and the importance of proactive security\r\nmeasures, including software updates, endpoint protection, and user education, to mitigate such risks.\r\nSource: https://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nhttps://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@b.magnezi/malware-analysis-njrat-5633847bd6f1"
	],
	"report_names": [
		"malware-analysis-njrat-5633847bd6f1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c264c6278b7eb0f8754db671d114e050f46919b.pdf",
		"text": "https://archive.orkl.eu/8c264c6278b7eb0f8754db671d114e050f46919b.txt",
		"img": "https://archive.orkl.eu/8c264c6278b7eb0f8754db671d114e050f46919b.jpg"
	}
}