njrat | 3f0dcf0987034aacac24fbc428045c6e531240053f4027417abb0fa57626e5da | Triage

Sharing

General

Target

3068-18-0x00000000002E0000-0x00000000002EC000-memory.dmp
Size

48KB
Sample

240926-te9eqayenb
MD5

d7bb984bcbeaaf2873aea2bce3a36073
SHA1

f3cc4c1f1958ad809396bc00945d10b5c4968ec7
SHA256

3f0dcf0987034aacac24fbc428045c6e531240053f4027417abb0fa57626e5da
SHA512

ac7fa655f2ece9fd17fbb50a03e0154619c67c91b01dfe3eabb1ee80ce50db391aa8974167899a4bda264fc6773102e2103ca45bcb867be903a8da2fd6010ad7
SSDEEP

384:mluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZhnJ:JOmhtIiRpcnuqJ

Score

10^/10

njrat pro-system discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Pro-SYstem

C2

x555hd.ddns.net:555

Mutex

9e82a5ccaed752a57fda004b4018de61

Attributes

reg_key
9e82a5ccaed752a57fda004b4018de61
splitter
|'|'|

Targets

- Target
  
  3068-18-0x00000000002E0000-0x00000000002EC000-memory.dmp
- Size
  
  48KB
- MD5
  
  d7bb984bcbeaaf2873aea2bce3a36073
- SHA1
  
  f3cc4c1f1958ad809396bc00945d10b5c4968ec7
- SHA256
  
  3f0dcf0987034aacac24fbc428045c6e531240053f4027417abb0fa57626e5da
- SHA512
  
  ac7fa655f2ece9fd17fbb50a03e0154619c67c91b01dfe3eabb1ee80ce50db391aa8974167899a4bda264fc6773102e2103ca45bcb867be903a8da2fd6010ad7
- SSDEEP
  
  384:mluBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZhnJ:JOmhtIiRpcnuqJ
Score

10^/10

njrat pro-system discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

pro-systemnjrat

behavioral1

njratpro-systemdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan