njrat | b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df | Triage

Sharing

General

Target

b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df
Size

232KB
Sample

240917-a2a1wsybqq
MD5

048af131c128c4f3d61e2f8311a0d789
SHA1

6499aaffdef17532166f4e6b023b5b5e9c2a3a74
SHA256

b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df
SHA512

8ecf9f80ed6651dda257215f80a9fdaca1f19a1833a0968e67d943bea6a654ff59e828085d69f7a10e05e32290d3b2a28355179f3b367b86abb3781f69451c32
SSDEEP

6144:sGzuTmcrilEBufkto5AoYfqyoVxxGMOr6ulkLAl9sUgvoplt:sGuTKlEBu8t6zYyyowWulA6sU1r

Score

10^/10

njrat adam evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Adam

C2

127.0.0.1:5552

Mutex

0fdeb309c302794f1f098abd7425174f

Attributes

reg_key
0fdeb309c302794f1f098abd7425174f
splitter
|'|'|

Targets

- Target
  
  b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df
- Size
  
  232KB
- MD5
  
  048af131c128c4f3d61e2f8311a0d789
- SHA1
  
  6499aaffdef17532166f4e6b023b5b5e9c2a3a74
- SHA256
  
  b0b7e0547949400674954396d6dd3f9ce820f608eb8063b1c9d86f3e3d16f2df
- SHA512
  
  8ecf9f80ed6651dda257215f80a9fdaca1f19a1833a0968e67d943bea6a654ff59e828085d69f7a10e05e32290d3b2a28355179f3b367b86abb3781f69451c32
- SSDEEP
  
  6144:sGzuTmcrilEBufkto5AoYfqyoVxxGMOr6ulkLAl9sUgvoplt:sGuTKlEBu8t6zYyyowWulA6sU1r
Score

10^/10

njrat adam evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratadamevasionpersistenceprivilege_escalationtrojan

behavioral2

njratadamevasionpersistenceprivilege_escalationtrojan