njrat | 4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

14052163e5...71.exe

windows7-x64

7

14052163e5...71.exe

windows10-2004-x64

Resubmissions

07/07/2023, 09:59

230707-lz275sgc54 10

Sharing

General

Target

14052163e50c197697c64b1431b42271.exe
Size

17.6MB
Sample

230707-lz275sgc54
MD5

14052163e50c197697c64b1431b42271
SHA1

df301332faa73c3d5f915fde61df2fc9de21a61a
SHA256

4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778
SHA512

124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab
SSDEEP

393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg

Score

10^/10

njrat wshrat fr evasion trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

14052163e50c197697c64b1431b42271.exe

Resource

win7-20230703-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

14052163e50c197697c64b1431b42271.exe

Resource

win10v2004-20230703-en

njrat wshrat fr evasion trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://files.catbox.moe/fvl5hy.jpg

Extracted

Family

njrat

Version

0.7d

Botnet

fr

C2

francia.ydns.eu:5553

Mutex

8721754955d2136ee214cac4b72b7338

Attributes

reg_key
8721754955d2136ee214cac4b72b7338
splitter
|'|'|

Extracted

Family

wshrat

C2

http://francia.ydns.eu:8000

Targets

- Target
  
  14052163e50c197697c64b1431b42271.exe
- Size
  
  17.6MB
- MD5
  
  14052163e50c197697c64b1431b42271
- SHA1
  
  df301332faa73c3d5f915fde61df2fc9de21a61a
- SHA256
  
  4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778
- SHA512
  
  124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab
- SSDEEP
  
  393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg
Score

10^/10

njrat wshrat fr evasion trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njratwshratfrevasiontrojan

© 2018-2025

Terms | Privacy