njrat | 9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c | Triage

Sharing

General

Target

9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c
Size

509KB
Sample

240915-adhqtsvcjr
MD5

093b753a23c9e8d075a0b5930becc5db
SHA1

1702c0e879306d86a5a66291da6318581df63f1d
SHA256

9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c
SHA512

e948a28961872ea1b64cafcd0190cc2d85cac5d887b94d4a8eefc24374ca1581c6c9882c6000cea9c6c507b14be6c4f2191118e3aa76cfdb7992d4f5aab11cf2
SSDEEP

6144:BstlOOo8x7n59Z+zyu65QnlQBD57PSNfL:wOOfN590uu6ekV7PSNz

Score

10^/10

njrat loh discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Loh

C2

4.tcp.ngrok.io:15397

Mutex

e3a79ad10724ea5246684eaecb0cb4a0

Attributes

reg_key
e3a79ad10724ea5246684eaecb0cb4a0
splitter
|'|'|

Targets

- Target
  
  9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c
- Size
  
  509KB
- MD5
  
  093b753a23c9e8d075a0b5930becc5db
- SHA1
  
  1702c0e879306d86a5a66291da6318581df63f1d
- SHA256
  
  9a93e284738593ec18d5e0c7d23de3a798a2fb7948aa730243edb5fd3566fc3c
- SHA512
  
  e948a28961872ea1b64cafcd0190cc2d85cac5d887b94d4a8eefc24374ca1581c6c9882c6000cea9c6c507b14be6c4f2191118e3aa76cfdb7992d4f5aab11cf2
- SSDEEP
  
  6144:BstlOOo8x7n59Z+zyu65QnlQBD57PSNfL:wOOfN590uu6ekV7PSNz
Score

10^/10

njrat loh discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratlohdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation