njrat | 26f7e1788c2656cd64e69ac68873acfdd0160ff6ed07880720c4a52f5d52bc10 | Triage

Sharing

General

Target

26f7e1788c2656cd64e69ac68873acfdd0160ff6ed07880720c4a52f5d52bc10.exe
Size

23KB
Sample

240928-kjamhsyfna
MD5

76384fbf41e0a00a77b7fcba4d92fb24
SHA1

be5adb67b70429162202adbda371c6cd02cd5f20
SHA256

26f7e1788c2656cd64e69ac68873acfdd0160ff6ed07880720c4a52f5d52bc10
SHA512

e308a60e29013ae6b1fdbe5493ba7209c50d3479d517fbd2de4cfaeecfd5c9cad00d66e34748c898c2424ab9e113af270085b0774b8223bfc248a597ceaf5185
SSDEEP

384:RTWSEFDn65Egj6RGiYCINTY6xgXakh2oZDJmRvR6JZlbw8hqIusZzZKr:tm7OM9YX0MRpcnu3

Score

10^/10

njrat required installation discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

required installation

C2

uxnr.ddns.net:7144

Mutex

a2d1b1b05cb0b58cf6e21aefb30df1db

Attributes

reg_key
a2d1b1b05cb0b58cf6e21aefb30df1db
splitter
|'|'|

Targets

- Target
  
  26f7e1788c2656cd64e69ac68873acfdd0160ff6ed07880720c4a52f5d52bc10.exe
- Size
  
  23KB
- MD5
  
  76384fbf41e0a00a77b7fcba4d92fb24
- SHA1
  
  be5adb67b70429162202adbda371c6cd02cd5f20
- SHA256
  
  26f7e1788c2656cd64e69ac68873acfdd0160ff6ed07880720c4a52f5d52bc10
- SHA512
  
  e308a60e29013ae6b1fdbe5493ba7209c50d3479d517fbd2de4cfaeecfd5c9cad00d66e34748c898c2424ab9e113af270085b0774b8223bfc248a597ceaf5185
- SSDEEP
  
  384:RTWSEFDn65Egj6RGiYCINTY6xgXakh2oZDJmRvR6JZlbw8hqIusZzZKr:tm7OM9YX0MRpcnu3
Score

10^/10

njrat required installation discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

required installationnjrat

behavioral1

njratrequired installationdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan