njrat | 200d11cd8fe4e8f7a6f67d79c2c3c74fca63712c421ac999e49221232f355e88 | Triage

Sharing

General

Target

d88d9478a3df86f3aad088f1d93e25f31eb9ad74a01f087b1a4a9533daf25fa6.exe
Size

35KB
Sample

240902-k326wawhrq
MD5

fb7f625eaf12d695aef5428a1433b0c8
SHA1

ed62ab0f392fba85c32977f96ff5cd01092e2898
SHA256

200d11cd8fe4e8f7a6f67d79c2c3c74fca63712c421ac999e49221232f355e88
SHA512

f379aaf1fcf1dff44436386b5f3dd198664caa98675dfcc3187bf2b255763a56de4a6a85486b464de6ea2a616479b0cf0ee86319b1a060432976dcaaf16570f5
SSDEEP

768:N7kprWOT9k3Cd4AJ/xssHJTVrj/okBDXZ6SmplA7PS+bHrT4Q:N+iOT9kSd5rpJTVrjA0V6hlkS+MQ

Score

10^/10

njrat server discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Server

C2

hakim32.ddns.net:2000

0.tcp.jp.ngrok.io:12215

Mutex

cae159ad290a06b8a442e247969718ad

Attributes

reg_key
cae159ad290a06b8a442e247969718ad
splitter
|'|'|

Targets

- Target
  
  Device/HarddiskVolume3/Users/Usuario/Downloads/d88d9478a3df86f3aad088f1d93e25f31eb9ad74a01f087b1a4a9533daf25fa6.exe
- Size
  
  93KB
- MD5
  
  333edb223d980aa62d38eccece026ce4
- SHA1
  
  96dcf76040ef3db4e5fd04f6e5f572a20abb6404
- SHA256
  
  d88d9478a3df86f3aad088f1d93e25f31eb9ad74a01f087b1a4a9533daf25fa6
- SHA512
  
  8489721a0cd9b1bda528b460d62e79b5b79484a8b34760915c7d9d8b3d2951e30f8d9bef2ee6061be4a729e73982161175e6eace72e1a07e3494f9f1be33aa6d
- SSDEEP
  
  768:xY3B+xFKghFchQVTqWnwz/1h3XE/blTzxXSsvXxrjEtCdnl2pi1Rz4Rk3OsGdpyD:u+nK6bTq8itNEhVhjEwzGi1dDKDyzgS
Score

10^/10

njrat server discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratserverdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation