njrat | 96bf799fbafcbc9e851fe8d3b10b292c4eabe9bfc9d208e99974b1b55d335c63 | Triage

Sharing

General

Target

96bf799fbafcbc9e851fe8d3b10b292c4eabe9bfc9d208e99974b1b55d335c63.exe
Size

22KB
Sample

240927-ymyqeawgql
MD5

ed4ce0f471e4e08f00df8b0ba0e2ff9d
SHA1

fe48b3a5185edccca8203f626292a944fa614358
SHA256

96bf799fbafcbc9e851fe8d3b10b292c4eabe9bfc9d208e99974b1b55d335c63
SHA512

c76c1b2da103b0cea271a778600ab9da6d9abfe11b7e7f46beadb6e2ab6a3e612a8fbfe2f389b0d75f0e59bd9d5437a55b28a98bc0bc4e4df1a7822fba5a2d37
SSDEEP

384:uMK6b2GZsx/Yr1+liORH1kcPFQ6Lg9gSOYRr9mRvR6JZlbw8hqIusZzZv/:Zb9glF51LRpcnuE

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

shytangz12.ddns.net:1177

Mutex

65271d5e85054f67d5a5285b8baa1fd0

Attributes

reg_key
65271d5e85054f67d5a5285b8baa1fd0
splitter
|'|'|

Targets

- Target
  
  96bf799fbafcbc9e851fe8d3b10b292c4eabe9bfc9d208e99974b1b55d335c63.exe
- Size
  
  22KB
- MD5
  
  ed4ce0f471e4e08f00df8b0ba0e2ff9d
- SHA1
  
  fe48b3a5185edccca8203f626292a944fa614358
- SHA256
  
  96bf799fbafcbc9e851fe8d3b10b292c4eabe9bfc9d208e99974b1b55d335c63
- SHA512
  
  c76c1b2da103b0cea271a778600ab9da6d9abfe11b7e7f46beadb6e2ab6a3e612a8fbfe2f389b0d75f0e59bd9d5437a55b28a98bc0bc4e4df1a7822fba5a2d37
- SSDEEP
  
  384:uMK6b2GZsx/Yr1+liORH1kcPFQ6Lg9gSOYRr9mRvR6JZlbw8hqIusZzZv/:Zb9glF51LRpcnuE
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan