njrat | 503e5a4ea65d4b9a8b0ab762cc46a6d8c0f8ba1001373e6c7dc8a299d66dac89 | Triage

Sharing

General

Target

503e5a4ea65d4b9a8b0ab762cc46a6d8c0f8ba1001373e6c7dc8a299d66dac89N
Size

37KB
Sample

240921-fec5mawalh
MD5

c2d69bc64ca834ade114523d31af0b20
SHA1

7579b9a2e45e5b0f99113b118981064007874e5b
SHA256

503e5a4ea65d4b9a8b0ab762cc46a6d8c0f8ba1001373e6c7dc8a299d66dac89
SHA512

39b31ffe0d68ea682908ed74dcd8ee699219d174aafec10fc086a01bdf6f9c09e7a43044d5a711504d28f289ac0344b0b4c1a6a47a3e0fb988d01cabb4e1acc3
SSDEEP

384:gQmn6ikNRxdDsyNyyszdSZPhs8mGz0rAF+rMRTyN/0L+EcoinblneHQM3epzXIEV:nm0eyNBszdSZC1GwrM+rMRa8Nu+Eft

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

flowers-novelty.gl.at.ply.gg:50375

Mutex

5658a3c4e97b27740dd9826a509bb4c2

Attributes

reg_key
5658a3c4e97b27740dd9826a509bb4c2
splitter
|'|'|

Targets

- Target
  
  503e5a4ea65d4b9a8b0ab762cc46a6d8c0f8ba1001373e6c7dc8a299d66dac89N
- Size
  
  37KB
- MD5
  
  c2d69bc64ca834ade114523d31af0b20
- SHA1
  
  7579b9a2e45e5b0f99113b118981064007874e5b
- SHA256
  
  503e5a4ea65d4b9a8b0ab762cc46a6d8c0f8ba1001373e6c7dc8a299d66dac89
- SHA512
  
  39b31ffe0d68ea682908ed74dcd8ee699219d174aafec10fc086a01bdf6f9c09e7a43044d5a711504d28f289ac0344b0b4c1a6a47a3e0fb988d01cabb4e1acc3
- SSDEEP
  
  384:gQmn6ikNRxdDsyNyyszdSZPhs8mGz0rAF+rMRTyN/0L+EcoinblneHQM3epzXIEV:nm0eyNBszdSZC1GwrM+rMRa8Nu+Eft
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation