njrat | 3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425 | Triage

Sharing

General

Target

0x0036000000015d4215.dat
Size

37KB
Sample

240827-xmmgpsxhpk
MD5

93bf6f4e5c7a5cfa70924d084796388d
SHA1

92c32c2ae89aefceb51468eca032adce232e0bbb
SHA256

3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425
SHA512

eb13a2d5590aa20e426a8d93b27d57f467be9efe496a180d2c6c921597b6ed2b232a0e0c43dd451b377b356c2ffa22083062c67172b9f109d3efa87e31e6de42
SSDEEP

384:nlmFnqi0lJZtbH9KyM+2VzmiPZMsWerErAF+rMRTyN/0L+EcoinblneHQM3epzXW:lmSJ95M+2V6iqVe4rM+rMRa8NuMJt

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

born-administrative.gl.at.ply.gg:10324

Mutex

c6aa749155b3480287d64e2d4a50cdbf

Attributes

reg_key
c6aa749155b3480287d64e2d4a50cdbf
splitter
|'|'|

Targets

- Target
  
  0x0036000000015d4215.dat
- Size
  
  37KB
- MD5
  
  93bf6f4e5c7a5cfa70924d084796388d
- SHA1
  
  92c32c2ae89aefceb51468eca032adce232e0bbb
- SHA256
  
  3180329acbe4bef309498a65b0db0df853102257fdc3c71838c969289121f425
- SHA512
  
  eb13a2d5590aa20e426a8d93b27d57f467be9efe496a180d2c6c921597b6ed2b232a0e0c43dd451b377b356c2ffa22083062c67172b9f109d3efa87e31e6de42
- SSDEEP
  
  384:nlmFnqi0lJZtbH9KyM+2VzmiPZMsWerErAF+rMRTyN/0L+EcoinblneHQM3epzXW:lmSJ95M+2V6iqVe4rM+rMRa8NuMJt
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation