njrat | 67d53f087b54148e866b6bfc1108e51e46ab82fc1ecaa82212c666ce26c2472d | Triage

Sharing

General

Target

67d53f087b54148e866b6bfc1108e51e46ab82fc1ecaa82212c666ce26c2472d
Size

93KB
Sample

240706-2p1vbsxflc
MD5

54818a1a77471d6b2edd5ca5708247e3
SHA1

c2db96c79e4e117caa6e7db3dfc767f2f9c9e90f
SHA256

67d53f087b54148e866b6bfc1108e51e46ab82fc1ecaa82212c666ce26c2472d
SHA512

75bb0460c96e5f2983e9344864b06696054f8f0fdde5d3f4d2758bea6004c3c8e151c8d013a3a6ec5220d205f9f75b3dace903b18157953445e18cf256faae9b
SSDEEP

768:FY3XKBD9O/pBcxYsbae6GIXb9pDX2b98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3+sGy:UKzOx6baIa9RPj00ljEwzGi1dD6D8gS

Score

10^/10

njrat hacked evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

fb116b75140ecc0173c4ba46bdb8d155

Attributes

reg_key
fb116b75140ecc0173c4ba46bdb8d155
splitter
|'|'|

Targets

- Target
  
  67d53f087b54148e866b6bfc1108e51e46ab82fc1ecaa82212c666ce26c2472d
- Size
  
  93KB
- MD5
  
  54818a1a77471d6b2edd5ca5708247e3
- SHA1
  
  c2db96c79e4e117caa6e7db3dfc767f2f9c9e90f
- SHA256
  
  67d53f087b54148e866b6bfc1108e51e46ab82fc1ecaa82212c666ce26c2472d
- SHA512
  
  75bb0460c96e5f2983e9344864b06696054f8f0fdde5d3f4d2758bea6004c3c8e151c8d013a3a6ec5220d205f9f75b3dace903b18157953445e18cf256faae9b
- SSDEEP
  
  768:FY3XKBD9O/pBcxYsbae6GIXb9pDX2b98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3+sGy:UKzOx6baIa9RPj00ljEwzGi1dD6D8gS
Score

8^/10

evasion persistence privilege_escalation
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistenceprivilege_escalation

behavioral2

evasionpersistenceprivilege_escalation