njrat | fbd21d414a2ba64913cf81675e3ac0764e43c6fa53b779c645b1272127f26ad1 | Triage

Sharing

General

Target

fbd21d414a2ba64913cf81675e3ac0764e43c6fa53b779c645b1272127f26ad1N
Size

37KB
Sample

240916-1xcxsssbmq
MD5

dce6fe99cffe57ee5042749e902282e0
SHA1

c897639a9bc2f9040d26d5440deff82f1454b963
SHA256

fbd21d414a2ba64913cf81675e3ac0764e43c6fa53b779c645b1272127f26ad1
SHA512

f350938373d0392de252be911f91f73008a983066a7b48e250439d9a0e16ffef7a9e56113f8a4e2dacead9766693d9aece34ab0741b6facee0d056f5aeb7f494
SSDEEP

384:zW8jKicg8jn5xL5oyUi823Vujvf/NYisZarAF+rMRTyN/0L+EcoinblneHQM3epa:K8mf5DUi8wujv91swrM+rMRa8NurMt

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

bush-granted.gl.at.ply.gg:43468

Mutex

8c1dce9b40381a0188a14dc9221fdc31

Attributes

reg_key
8c1dce9b40381a0188a14dc9221fdc31
splitter
|'|'|

Targets

- Target
  
  fbd21d414a2ba64913cf81675e3ac0764e43c6fa53b779c645b1272127f26ad1N
- Size
  
  37KB
- MD5
  
  dce6fe99cffe57ee5042749e902282e0
- SHA1
  
  c897639a9bc2f9040d26d5440deff82f1454b963
- SHA256
  
  fbd21d414a2ba64913cf81675e3ac0764e43c6fa53b779c645b1272127f26ad1
- SHA512
  
  f350938373d0392de252be911f91f73008a983066a7b48e250439d9a0e16ffef7a9e56113f8a4e2dacead9766693d9aece34ab0741b6facee0d056f5aeb7f494
- SSDEEP
  
  384:zW8jKicg8jn5xL5oyUi823Vujvf/NYisZarAF+rMRTyN/0L+EcoinblneHQM3epa:K8mf5DUi8wujv91swrM+rMRa8NurMt
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation