njrat | 2e9983832a19f9b6dc791f57bff464dc53aa27d318e2b7a81bfc13fc1f579e09 | Triage

Sharing

General

Target

9e1ddb3ded2f795c2c3c2badbac73370N.exe
Size

115KB
Sample

240906-ywfaeswcke
MD5

9e1ddb3ded2f795c2c3c2badbac73370
SHA1

f5940b9df3d2d1f2335e6374aaed7dc7d27213ad
SHA256

2e9983832a19f9b6dc791f57bff464dc53aa27d318e2b7a81bfc13fc1f579e09
SHA512

6abde93ff7e97e250248a783740d7675f5689227c9dd0a3da0e5fbcdf84992ca3c64d80ee2745f1c87eaba826ea889075ad6d2d9366b48a80e705c5b0785d4df
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDX:P5eznsjsguGDFqGZ2rDX

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Targets

- Target
  
  9e1ddb3ded2f795c2c3c2badbac73370N.exe
- Size
  
  115KB
- MD5
  
  9e1ddb3ded2f795c2c3c2badbac73370
- SHA1
  
  f5940b9df3d2d1f2335e6374aaed7dc7d27213ad
- SHA256
  
  2e9983832a19f9b6dc791f57bff464dc53aa27d318e2b7a81bfc13fc1f579e09
- SHA512
  
  6abde93ff7e97e250248a783740d7675f5689227c9dd0a3da0e5fbcdf84992ca3c64d80ee2745f1c87eaba826ea889075ad6d2d9366b48a80e705c5b0785d4df
- SSDEEP
  
  1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDX:P5eznsjsguGDFqGZ2rDX
Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan