njrat | 63a426782ec8ec66f046fa20a0da67fd1b12529b530a4b4f42d360183d69e9e3 | Triage

Sharing

General

Target

63a426782ec8ec66f046fa20a0da67fd1b12529b530a4b4f42d360183d69e9e3.exe
Size

33KB
Sample

240714-k9md1avblp
MD5

4353ed6964bca8a997b8b101b2c27c14
SHA1

eeeb0c4cdb143621c6a37caafe42b145a4d30e2c
SHA256

63a426782ec8ec66f046fa20a0da67fd1b12529b530a4b4f42d360183d69e9e3
SHA512

cd8541f5a133c3f7b3e7526ee0fec8a6e4c8438997ec1827aac2bdc5a05e7244341fc87476a78673ab2d58d4e4ca30115f6d74444c32de0746f4aa4b5b00f7c0
SSDEEP

384:koWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZekjamn4Sg3f:T7O89p2rRpcnu82mn4P3UX8cO

Score

10^/10

njrat victm evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victm

C2

20.ip.gl.ply.gg:36100

Mutex

5f6eb6924742a5189270b46a6c57febd

Attributes

reg_key
5f6eb6924742a5189270b46a6c57febd
splitter
|'|'|

Targets

- Target
  
  63a426782ec8ec66f046fa20a0da67fd1b12529b530a4b4f42d360183d69e9e3.exe
- Size
  
  33KB
- MD5
  
  4353ed6964bca8a997b8b101b2c27c14
- SHA1
  
  eeeb0c4cdb143621c6a37caafe42b145a4d30e2c
- SHA256
  
  63a426782ec8ec66f046fa20a0da67fd1b12529b530a4b4f42d360183d69e9e3
- SHA512
  
  cd8541f5a133c3f7b3e7526ee0fec8a6e4c8438997ec1827aac2bdc5a05e7244341fc87476a78673ab2d58d4e4ca30115f6d74444c32de0746f4aa4b5b00f7c0
- SSDEEP
  
  384:koWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZekjamn4Sg3f:T7O89p2rRpcnu82mn4P3UX8cO
Score

10^/10

njrat victm evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratvictmevasionpersistenceprivilege_escalationtrojan

behavioral2

njratevasionpersistenceprivilege_escalationtrojan