njrat | 4820fae49a303511dee13068f2784fc9e8486184052123160b2b29411e3f5212 | Triage

Resubmissions

15/10/2023, 10:10

231015-l7htgadg7t 10

15/10/2023, 10:08

231015-l6mq2adg61 10

Sharing

Copy URL Twitter E-mail

General

Target

NjRat Lime Edition 0.8.0.rar
Size

10.9MB
Sample

231015-l6mq2adg61
MD5

308a6eb2e67f193b0ef58a148c6da769
SHA1

25d3ee3f8fddf259d15ed2bbaad5ee9955840fde
SHA256

4820fae49a303511dee13068f2784fc9e8486184052123160b2b29411e3f5212
SHA512

4d86979d8b19e4443ebbed970090486a319282b20cc486377315f480269db3787ebf20dfe97475645172370e65656255c415e2cd600a197f13a4ccb08bf6ead7
SSDEEP

196608:cWOeevvnYWPh8rC4c23E0Lru1pc1ZHGQs5stpzJwCocmlVvTlJYtF1e59D:cdfn5PsC4c+EOruLc1NM5Gdknv7u8

Score

10^/10

njrat zgrat njrat evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

njRAT

C2

0.tcp.eu.ngrok.io:12449

Mutex

79260d4c9893ac5a8295ab997683856f

Attributes

reg_key
79260d4c9893ac5a8295ab997683856f
splitter
|'|'|

Extracted

Family

njrat

Version

0.7.3

Botnet

njRAT

C2

0.tcp.eu.ngrok.io:12449

Mutex

dllhost.exe

Attributes

reg_key
dllhost.exe
splitter
1234

Targets

- Target
  
  NjRat Lime Edition 0.8.0/NjRat Lime Edition 0.8.0.exe
- Size
  
  357KB
- MD5
  
  124f402976fed53760b9a49eb5bcd8de
- SHA1
  
  d6f752e2bd87675c77c46784e23c531d3aecc54a
- SHA256
  
  058a5e19eb5edda3029d3bdca057b8bb9476520280eb19b912eb67eff7a5e5be
- SHA512
  
  3a1615e487e793a98827207664dbb2296fe10837d2da12eca3329f0bcc38d7f284204614b45ba7ae0f1536be8b26e2e68565869d382b462e685c818740640a22
- SSDEEP
  
  6144:SgZiAEAO0sByNsAal3gVAWgS7/Ohwjj1kS8RRQzY:SgZXEAO/BUdG3gVdt7Ke1kS8LD
Score

10^/10

njrat njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

njratnjratevasionpersistencetrojan