njrat | 084d25f64a21c6312f06a66b9bf921289df5bdc36d878ddb2202808ebcfdfc65 | Triage

Sharing

General

Target

573e4dd9ae6630d52702c4b9173b11c0N
Size

10KB
Sample

240909-al8xzsseqj
MD5

573e4dd9ae6630d52702c4b9173b11c0
SHA1

ab4b6e45d356ade72461faba5dbd5ec2a54ef7b6
SHA256

084d25f64a21c6312f06a66b9bf921289df5bdc36d878ddb2202808ebcfdfc65
SHA512

8c68554aedf5c9dc01f87cfc7b7f076cd912f22edacd27b888f145673e309b0ea9ad8feeccc031481b34201edbce5dc1afda9e1bd2bf12d83f04fd51885575be
SSDEEP

96:bk9Ma5eRnWnmLMddMWTtGC6T1VVNCGOfBraJkR+GpwGf9EgKepZyZ6bc9kdzNt:CynqmLidtECY18fVaaRxqGf9EZSytqX

Score

10^/10

njrat school discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/TheAirBlow/theairblow/blob/main/njrat.exe?raw=true

Extracted

Family

njrat

Version

im523

Botnet

school

C2

167.71.56.116:22764

Mutex

872de6721af0b6833a743205be97e089

Attributes

reg_key
872de6721af0b6833a743205be97e089
splitter
|'|'|

Targets

- Target
  
  573e4dd9ae6630d52702c4b9173b11c0N
- Size
  
  10KB
- MD5
  
  573e4dd9ae6630d52702c4b9173b11c0
- SHA1
  
  ab4b6e45d356ade72461faba5dbd5ec2a54ef7b6
- SHA256
  
  084d25f64a21c6312f06a66b9bf921289df5bdc36d878ddb2202808ebcfdfc65
- SHA512
  
  8c68554aedf5c9dc01f87cfc7b7f076cd912f22edacd27b888f145673e309b0ea9ad8feeccc031481b34201edbce5dc1afda9e1bd2bf12d83f04fd51885575be
- SSDEEP
  
  96:bk9Ma5eRnWnmLMddMWTtGC6T1VVNCGOfBraJkR+GpwGf9EgKepZyZ6bc9kdzNt:CynqmLidtECY18fVaaRxqGf9EZSytqX
Score

10^/10

discovery njrat school evasion execution persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njratschooldiscoveryevasionexecutionpersistenceprivilege_escalationtrojan