njrat | 1e0d019421d4ff252ecef39984f7e65475b78dcfb24bbfef83579e86ce0dc23d | Triage

Sharing

General

Target

1e0d019421d4ff252ecef39984f7e65475b78dcfb24bbfef83579e86ce0dc23d.exe
Size

14.6MB
Sample

240927-bf8wgazdrf
MD5

3bd5f723cd50d790a31f7a7854597438
SHA1

c0223ba8beadb32eadb6778929c69e3ffb7173f8
SHA256

1e0d019421d4ff252ecef39984f7e65475b78dcfb24bbfef83579e86ce0dc23d
SHA512

21ef897fa72ea9c45adbda395d121f48f29311a6b0994c26f6d46043b02e9b4441919c018a3c47469d593d63acdbec5445ae88d5e05f4ef80cd62861d228d8e4
SSDEEP

196608:izm4LCplt2cxLJKDY/Xk8+z3fA+j+9UNV7EZIHGaFUlWhR+ZU/TvvTTFyAUh+S:WzKlt2ctBUH+9UNlst2oWhRd3fFycS

Score

10^/10

njrat pro-system discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Pro-SYstem

C2

x555hd.ddns.net:555

Mutex

9e82a5ccaed752a57fda004b4018de61

Attributes

reg_key
9e82a5ccaed752a57fda004b4018de61
splitter
|'|'|

Targets

- Target
  
  1e0d019421d4ff252ecef39984f7e65475b78dcfb24bbfef83579e86ce0dc23d.exe
- Size
  
  14.6MB
- MD5
  
  3bd5f723cd50d790a31f7a7854597438
- SHA1
  
  c0223ba8beadb32eadb6778929c69e3ffb7173f8
- SHA256
  
  1e0d019421d4ff252ecef39984f7e65475b78dcfb24bbfef83579e86ce0dc23d
- SHA512
  
  21ef897fa72ea9c45adbda395d121f48f29311a6b0994c26f6d46043b02e9b4441919c018a3c47469d593d63acdbec5445ae88d5e05f4ef80cd62861d228d8e4
- SSDEEP
  
  196608:izm4LCplt2cxLJKDY/Xk8+z3fA+j+9UNV7EZIHGaFUlWhR+ZU/TvvTTFyAUh+S:WzKlt2ctBUH+9UNlst2oWhRd3fFycS
Score

10^/10

njrat pro-system discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratpro-systemdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratpro-systemdiscoveryevasionpersistenceprivilege_escalationtrojan