njrat | a8bd51bd9808450d3f3c954b221f5d01e55a7863dd048a816dfbe229391e8bba | Triage

Sharing

General

Target

a92763f22f7cf1683f18472ab69293f9.bin
Size

11KB
Sample

240914-bvfs8szhpg
MD5

bf3bc291160a3918045e373531f0052c
SHA1

93c4f502bb28858f4f853f4d329315da8304cbcc
SHA256

a8bd51bd9808450d3f3c954b221f5d01e55a7863dd048a816dfbe229391e8bba
SHA512

8d38d106aa2275a1d97f27c645eb73ee57f9797404f9c9f89abf92c72e5f1399568691e6dae1586b593bc5c112c385bc0bd5274202d39aec68d424775f64985f
SSDEEP

192:yr272zcwg7XPXTxXTjrIBVL8T1qaZ3sErxTVRthsfKE6R2MetHM/1zhwA+f8ZHfG:PIvY/tTjrcVL81qA3sErdVRthsfD6Rs5

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

mohmoh002.ddns.net:5552

Mutex

d922c61e0aecad1aa02e873c7d37cf0a

Attributes

reg_key
d922c61e0aecad1aa02e873c7d37cf0a
splitter
|'|'|

Targets

- Target
  
  7f70e00cb673f52e3feb31834e2e2c4ad2091a690a56735a1f517c7ebc52a3be.exe
- Size
  
  23KB
- MD5
  
  a92763f22f7cf1683f18472ab69293f9
- SHA1
  
  dfd4a8a96b255804165d4d1d458cd6ccd5b4d8d9
- SHA256
  
  7f70e00cb673f52e3feb31834e2e2c4ad2091a690a56735a1f517c7ebc52a3be
- SHA512
  
  181c1b24d6e907352836dbd4d2445e112bf949d76df3827dc477919428f21b017c0bb3f27ebe65b59c3589f2d1706f59fdb7bc444073fcb2c3f32696a5d8b003
- SSDEEP
  
  384:f+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZxU1:4m+71d5XRpcnuJ1
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan