njrat | 1e7708aaa98da8303b9826e82ed2d0777a5684ecda49071eb91c9d0db4e02172 | Triage

Sharing

General

Target

ServeFDr.exe
Size

93KB
Sample

231205-v1hdssdg39
MD5

9af8fc91af5e99e4373cbb5713dd40ec
SHA1

3ec0d34c5769ec819cb02a2d0bc8f7fde20505c9
SHA256

1e7708aaa98da8303b9826e82ed2d0777a5684ecda49071eb91c9d0db4e02172
SHA512

fb7bb746f660e024ed78c66ab9f5685e1d28b851dbf5227ddd09e686f13b8f3537c7678b8794e02362a99e83e462e8f9d9c7934aa3c83ef5db0c83c7fa1817ab
SSDEEP

1536:p+jJD/HBZbszKu9AZpy7r1jEwzGi1dDnDagS:p+CzK4AZwHCi1dXf

Score

10^/10

njrat hacked evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

43.249.38.36:5552

Mutex

e50c2e388f4a4092e8a1f2b2c9786ee0

Attributes

reg_key
e50c2e388f4a4092e8a1f2b2c9786ee0
splitter
|'|'|

Targets

- Target
  
  ServeFDr.exe
- Size
  
  93KB
- MD5
  
  9af8fc91af5e99e4373cbb5713dd40ec
- SHA1
  
  3ec0d34c5769ec819cb02a2d0bc8f7fde20505c9
- SHA256
  
  1e7708aaa98da8303b9826e82ed2d0777a5684ecda49071eb91c9d0db4e02172
- SHA512
  
  fb7bb746f660e024ed78c66ab9f5685e1d28b851dbf5227ddd09e686f13b8f3537c7678b8794e02362a99e83e462e8f9d9c7934aa3c83ef5db0c83c7fa1817ab
- SSDEEP
  
  1536:p+jJD/HBZbszKu9AZpy7r1jEwzGi1dDnDagS:p+CzK4AZwHCi1dXf
Score

8^/10

evasion
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Drops startup file
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2