njrat | 42708afda854ba9b4cfd7e74a4545ac54e7ef780b1f1eb52e183a8a343d3bc31 | Triage

Sharing

General

Target

test.exe
Size

93KB
Sample

240515-yrat5shc6y
MD5

f54e0d56b07dc0717370c6fd9a2876a8
SHA1

f1ca27d34d9eda21b94b7a716f8b396e5c3babec
SHA256

42708afda854ba9b4cfd7e74a4545ac54e7ef780b1f1eb52e183a8a343d3bc31
SHA512

3cf3f7d661a4cc973ab5b052e1184408e687ad11000b735f2e575bf7b7f6bea0f46d8332befa99071b21d0da7dce4f54c76a0849747a327268f02a503cf646b9
SSDEEP

1536:YxPdrvzeKQVfi5Q3K1QjEwzGi1dDvDEgS:YxlzeKQV53K1Bi1dP9

Score

10^/10

njrat hacked evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

C2

hakim32.ddns.net:2000

tool-seven.gl.at.ply.gg:52445

Mutex

2f6b1aa2fadca937ee48ee219c054948

Attributes

reg_key
2f6b1aa2fadca937ee48ee219c054948
splitter
|'|'|

Targets

- Target
  
  test.exe
- Size
  
  93KB
- MD5
  
  f54e0d56b07dc0717370c6fd9a2876a8
- SHA1
  
  f1ca27d34d9eda21b94b7a716f8b396e5c3babec
- SHA256
  
  42708afda854ba9b4cfd7e74a4545ac54e7ef780b1f1eb52e183a8a343d3bc31
- SHA512
  
  3cf3f7d661a4cc973ab5b052e1184408e687ad11000b735f2e575bf7b7f6bea0f46d8332befa99071b21d0da7dce4f54c76a0849747a327268f02a503cf646b9
- SSDEEP
  
  1536:YxPdrvzeKQVfi5Q3K1QjEwzGi1dDvDEgS:YxlzeKQV53K1Bi1dP9
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2