njrat | e3f63a4ddb9885b2a890a887454850f4b47bb4cb956bef7e98be37a579c84e65 | Triage

Sharing

General

Target

f9a4d98c734695a1c02d4620da8cce10N
Size

118KB
Sample

240914-t42featdlk
MD5

f9a4d98c734695a1c02d4620da8cce10
SHA1

31b5e04977054b521afd697199108745be6b081a
SHA256

e3f63a4ddb9885b2a890a887454850f4b47bb4cb956bef7e98be37a579c84e65
SHA512

c5e51e9f0250935f73cdf31d4132f12ba47b69ac3930b43b8a03f29949c66c48a5bfd4cb878e2ee5b9acaaacf0a7bdc7cb9f66be8ef96b8f669c2085b5cbff71
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL2rKIt:P5eznsjsguGDFqGZ2rDL2OIt

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Targets

- Target
  
  f9a4d98c734695a1c02d4620da8cce10N
- Size
  
  118KB
- MD5
  
  f9a4d98c734695a1c02d4620da8cce10
- SHA1
  
  31b5e04977054b521afd697199108745be6b081a
- SHA256
  
  e3f63a4ddb9885b2a890a887454850f4b47bb4cb956bef7e98be37a579c84e65
- SHA512
  
  c5e51e9f0250935f73cdf31d4132f12ba47b69ac3930b43b8a03f29949c66c48a5bfd4cb878e2ee5b9acaaacf0a7bdc7cb9f66be8ef96b8f669c2085b5cbff71
- SSDEEP
  
  1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL2rKIt:P5eznsjsguGDFqGZ2rDL2OIt
Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan