njrat | 103cb14f2460de6ef7c780becc87bac0599bdd0527e176c0ec87aad2397b57e6 | Triage

Sharing

General

Target

0x0031000000005c50-6.dat
Size

31KB
Sample

240827-w3dn3awgln
MD5

b075f9e4015e2f43154b9903d9ec5fb5
SHA1

0717b04115360a6d1d4451c90d0f6b0f781d249f
SHA256

103cb14f2460de6ef7c780becc87bac0599bdd0527e176c0ec87aad2397b57e6
SHA512

4f71a17234a0078733bd61fa80bd3463341dda0c1ac31ac9c496efd528ecd8657cf206160d6b9205e4fab6aa3b10fdd8f1764bc574223c63a38213735fd3939b
SSDEEP

768:CmDVuVP514zxjCzXjX/v/DJvikQmIDUu0ti+irj:ze6SvBjQVkdoj

Score

10^/10

njrat quewexsite discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

quewexsite

C2

88.168.211.65:6522

Mutex

7799a186f618ba54cc458f7422abc774

Attributes

reg_key
7799a186f618ba54cc458f7422abc774
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  0x0031000000005c50-6.dat
- Size
  
  31KB
- MD5
  
  b075f9e4015e2f43154b9903d9ec5fb5
- SHA1
  
  0717b04115360a6d1d4451c90d0f6b0f781d249f
- SHA256
  
  103cb14f2460de6ef7c780becc87bac0599bdd0527e176c0ec87aad2397b57e6
- SHA512
  
  4f71a17234a0078733bd61fa80bd3463341dda0c1ac31ac9c496efd528ecd8657cf206160d6b9205e4fab6aa3b10fdd8f1764bc574223c63a38213735fd3939b
- SSDEEP
  
  768:CmDVuVP514zxjCzXjX/v/DJvikQmIDUu0ti+irj:ze6SvBjQVkdoj
Score

10^/10

njrat quewexsite discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

quewexsitenjrat

behavioral1

njratquewexsitediscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan