{
	"id": "9b3c0442-e9c1-4f9b-8a17-edd91ff35889",
	"created_at": "2026-04-06T00:19:39.410257Z",
	"updated_at": "2026-04-10T03:21:35.353319Z",
	"deleted_at": null,
	"sha1_hash": "d1edb2ace176011add7b095752c0f3d61a16bfbb",
	"title": "njRAT runs MassLogger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 486824,
	"plain_text": "njRAT runs MassLogger\r\nBy Erik Hjelmvik\r\nPublished: 2026-02-02 · Archived: 2026-04-05 23:35:28 UTC\r\n, \r\nMonday, 02 February 2026 19:39:00 (UTC/GMT)\r\nnjRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most\r\npopular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Professional can be\r\nused to decode the njRAT C2 traffic to extract artifacts like screenshots, commands and transferred files.\r\nA PCAP file with njRAT traffic was published on malware-traffic-analysis.net last week. After loading this PCAP\r\nfile, NetworkMiner Professional reveals that the attacker downloaded full resolution screenshots of the victim’s\r\nscreen.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nPage 1 of 7\n\nImage: Overview of screenshots sent to C2 server\r\nhttps://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nPage 2 of 7\n\nImage: Screenshot extracted from njRAT traffic by NetworkMiner\r\nThe file “New Purchase Order and Specifications.exe” in this screenshot is the njRAT binary that was used to\r\ninfect the PC.\r\nA list of njRAT commands sent from the C2 server to the victim can be viewed on NetworkMiner’s Parameters tab\r\nby filtering for ”njRAT server command”.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nPage 3 of 7\n\nThe following njRAT commands are present here:\r\nCAP = take screenshot\r\ninv = invoke (run) a plugin (dll)\r\nrn = run a tool (executable)\r\nAdditional njRAT commands can be found in our writeup for the Decoding njRAT traffic with NetworkMiner\r\nvideo, which we published last year.\r\nnjRAT File Transfers\r\nThe “inv” and “rn” commands both transfer and execute additional code on the victim machine. The “inv”\r\ncommand typically transfers a DLL file that is used as a plugin, while the “rn” commands sends an executable file.\r\nThese DLL and EXE files are transferred in gzip compressed format, which is why NetworkMiner extracts them\r\nas .gz files.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nPage 4 of 7\n\nImage: Gzip compressed files extracted from njRAT traffic\r\nThis oneliner command lists the internal/original file names and corresponding MD5 hashes of the gzip\r\ncompressed executables sent to the victim PC:\r\nfor f in njRAT-rn*.gz; do echo $f; gunzip -c $f | exiftool - | grep Original; gunzip -c $f | md5sum; done\r\nnjRAT-rn-260129030403.gz\r\nOriginal File Name : Stub.exe\r\nca819e936f6b913e2b80e9e4766b8e79 -\r\nnjRAT-rn-260129030433.gz\r\nOriginal File Name : Stub.exe\r\ne422a4ce321be1ed989008d74ddb6351 -\r\nnjRAT-rn-260129030451.gz\r\nOriginal File Name : CloudServices.exe\r\nfcbb7c0c68afa04139caa55efe580ff5 -\r\nnjRAT-rn-260129031041.gz\r\nOriginal File Name : Stub.exe\r\n0ae3798c16075a9042c5dbb18bd10a5c -\r\nThe MD5 hashes of the files inside the gzip compressed streams can also be seen on the Parameters tab in\r\nNetworkMiner.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nPage 5 of 7\n\nMassLogger\r\nThe “CloudServices.exe” executable is a known credential stealer called MassLogger. This particular MassLogger\r\nsample is hard coded to exfiltrate data in an email to kingsnakeresult@mcnzxz[.]com. The email is sent through\r\nthe SMTP server cphost14.qhoster[.]net. See the execution of this sample on Triage for additional details\r\nregarding the MassLogger payload in CloudServices.exe.\r\nIOC List\r\nnjRAT (splitter = \"|Ghost|\")\r\n58f1a46dba84d31257f1e0f8c92c59ec = njRAT sample\r\n104.248.130.195:7492 = njRAT C2 server\r\nburhanalassad.duckdns[.]org:7492 = njRAT C2 server\r\n801a5d1e272399ca14ff7d6da60315ef = sc2.dll\r\nca819e936f6b913e2b80e9e4766b8e79 = Stub.exe\r\ne422a4ce321be1ed989008d74ddb6351 = Stub.exe\r\nfcbb7c0c68afa04139caa55efe580ff5 = CloudServices.exe\r\n0ae3798c16075a9042c5dbb18bd10a5c = Stub.exe\r\nMassLogger\r\nfcbb7c0c68afa04139caa55efe580ff5\r\nkingsnakeresult@mcnzxz[.]com\r\ncphost14.qhoster.net:587\r\n78.110.166.82:587\r\nPosted by Erik Hjelmvik on Monday, 02 February 2026 19:39:00 (UTC/GMT)\r\nTags: #njRAT#NetworkMiner Professional#malware-traffic-analysis.net\r\nhttps://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nPage 6 of 7\n\nShort URL: https://netresec.com/?b=262adb9\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nhttps://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netresec.com/?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger"
	],
	"report_names": [
		"?page=Blog\u0026month=2026-02\u0026post=njRAT-runs-MassLogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434779,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1edb2ace176011add7b095752c0f3d61a16bfbb.pdf",
		"text": "https://archive.orkl.eu/d1edb2ace176011add7b095752c0f3d61a16bfbb.txt",
		"img": "https://archive.orkl.eu/d1edb2ace176011add7b095752c0f3d61a16bfbb.jpg"
	}
}