njrat | 952ac15d63c149fe69bf8244baa71fea739ccb58a22e2cba83b01d6dbf688bab | Triage

Sharing

General

Target

952ac15d63c149fe69bf8244baa71fea739ccb58a22e2cba83b01d6dbf688bab.exe
Size

23KB
Sample

240927-xzlqyaxeje
MD5

e42c87e4e16c3b0619a13234b99e9e44
SHA1

655a0fae9b2cd51e31725cf966f89bea8c1c91d8
SHA256

952ac15d63c149fe69bf8244baa71fea739ccb58a22e2cba83b01d6dbf688bab
SHA512

e7125f70390b85decb08ea0461e48508fea6a9a01593a197ba569e5e9491183e13e01dbdf6ba0f0189256bae4f5a0dbdb87473aa26773bd4e9a5c3f8389a9442
SSDEEP

384:swz6+T4IjWZFNwXU0eiNUBdvt6lgT+lLOhXxQmRvR6JZlbw8hqIusZzZJ+:XTbC81NgRpcnuT

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.168.0.27:4444

Mutex

279d9875560cf85d9f3bc76b45479fdf

Attributes

reg_key
279d9875560cf85d9f3bc76b45479fdf
splitter
|'|'|

Targets

- Target
  
  952ac15d63c149fe69bf8244baa71fea739ccb58a22e2cba83b01d6dbf688bab.exe
- Size
  
  23KB
- MD5
  
  e42c87e4e16c3b0619a13234b99e9e44
- SHA1
  
  655a0fae9b2cd51e31725cf966f89bea8c1c91d8
- SHA256
  
  952ac15d63c149fe69bf8244baa71fea739ccb58a22e2cba83b01d6dbf688bab
- SHA512
  
  e7125f70390b85decb08ea0461e48508fea6a9a01593a197ba569e5e9491183e13e01dbdf6ba0f0189256bae4f5a0dbdb87473aa26773bd4e9a5c3f8389a9442
- SSDEEP
  
  384:swz6+T4IjWZFNwXU0eiNUBdvt6lgT+lLOhXxQmRvR6JZlbw8hqIusZzZJ+:XTbC81NgRpcnuT
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan