njrat | 58dae216d7e872a5ac859cb6990165c8a1b6c10b7d39498b3b38327bf8500ae5 | Triage

Sharing

General

Target

58dae216d7e872a5ac859cb6990165c8a1b6c10b7d39498b3b38327bf8500ae5.exe
Size

1.2MB
Sample

240922-bmax1svdpl
MD5

42a97cec33e8c8e987d5739fbd3c9f00
SHA1

1704e208451006c59a246e65fce67860f9c76c2f
SHA256

58dae216d7e872a5ac859cb6990165c8a1b6c10b7d39498b3b38327bf8500ae5
SHA512

4dcba032583dc5cd7415f2f2407c658e304a06f081e596534e6b1f5b602730777404db8ab563c34ecaefbfdca6d727ccdec81036a47544ddf1ae54b76ed12b8c
SSDEEP

24576:SAqPpaQKsfCB1DSkIP619ot0IN46qu6I9lMMGwTX3EuAjjv5tJPVUVF4j6:SAq3JCz1IPQiqu6I9KMNTX3EuQFtJPVU

Score

10^/10

njrat karla 1998 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

KARLA 1998

C2

seznam.hopto.org:1177

Mutex

36db42ed563b740681ec3918ded7c343

Attributes

reg_key
36db42ed563b740681ec3918ded7c343
splitter
|'|'|

Targets

- Target
  
  58dae216d7e872a5ac859cb6990165c8a1b6c10b7d39498b3b38327bf8500ae5.exe
- Size
  
  1.2MB
- MD5
  
  42a97cec33e8c8e987d5739fbd3c9f00
- SHA1
  
  1704e208451006c59a246e65fce67860f9c76c2f
- SHA256
  
  58dae216d7e872a5ac859cb6990165c8a1b6c10b7d39498b3b38327bf8500ae5
- SHA512
  
  4dcba032583dc5cd7415f2f2407c658e304a06f081e596534e6b1f5b602730777404db8ab563c34ecaefbfdca6d727ccdec81036a47544ddf1ae54b76ed12b8c
- SSDEEP
  
  24576:SAqPpaQKsfCB1DSkIP619ot0IN46qu6I9lMMGwTX3EuAjjv5tJPVUVF4j6:SAq3JCz1IPQiqu6I9KMNTX3EuQFtJPVU
Score

10^/10

njrat karla 1998 discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratkarla 1998discoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratkarla 1998discoveryevasionpersistenceprivilege_escalationtrojan