njrat | 7197c0f6310135ffe9e34af0c013bce6443d705659ab35310b052f2f5ea43e0d | Triage

Sharing

General

Target

Server.exe
Size

93KB
Sample

240613-bpbx4aselp
MD5

d4e69f46ac4bd8fb65d2fb60852708a4
SHA1

92b82d575a7ec29727477f449b04c4a6e29e52a4
SHA256

7197c0f6310135ffe9e34af0c013bce6443d705659ab35310b052f2f5ea43e0d
SHA512

d90d5a09024a44a3e647081e5a1642c78b14061f41590f07e69b625a406397bac471091314f07d51c81d13c97625abdf787d0b6405125b9c38dc356ad6b0271f
SSDEEP

1536:v5rnEoSnsqS5ut/YMR8SjEwzGi1dDqDEgS:v53SnsqS5uVYM+7i1d09

Score

10^/10

njrat hacked evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

85.234.6.210:1337

Mutex

b4b0e85f0431d892cccef3603f549d76

Attributes

reg_key
b4b0e85f0431d892cccef3603f549d76
splitter
|'|'|

Targets

- Target
  
  Server.exe
- Size
  
  93KB
- MD5
  
  d4e69f46ac4bd8fb65d2fb60852708a4
- SHA1
  
  92b82d575a7ec29727477f449b04c4a6e29e52a4
- SHA256
  
  7197c0f6310135ffe9e34af0c013bce6443d705659ab35310b052f2f5ea43e0d
- SHA512
  
  d90d5a09024a44a3e647081e5a1642c78b14061f41590f07e69b625a406397bac471091314f07d51c81d13c97625abdf787d0b6405125b9c38dc356ad6b0271f
- SSDEEP
  
  1536:v5rnEoSnsqS5ut/YMR8SjEwzGi1dDqDEgS:v53SnsqS5uVYM+7i1d09
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2