njrat | c34be82d4d26914808ef38f10338c6dc66da3179e70319a2362c387f770b288f | Triage

Sharing

General

Target

c34be82d4d26914808ef38f10338c6dc66da3179e70319a2362c387f770b288fN
Size

64KB
Sample

240929-1gjqeawarb
MD5

ab351ab86e32f9936c7943a397eba860
SHA1

b11324109a190f06c068cc36d8972abd6f96fbf6
SHA256

c34be82d4d26914808ef38f10338c6dc66da3179e70319a2362c387f770b288f
SHA512

a8934e43aa1ae58ba07885419904cfada12b5ef99093b74d775c8993f5c32a8c413ea1af88ebf8e983c10e1ebd7daf2acba45d0e917365415f64de15e13055dc
SSDEEP

768:t+w1rw9MVg/KgUA1M69FSXOfsJ8LpG8K78AQdc/LPNX2iFJNgl:x/td4toX+sJqA8K78AiKzNrJNgl

Score

10^/10

njrat cleno evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Cleno

C2

arabchat24.servemp3.com:3461

Mutex

3a89e7585d94d684ad793985a8f8b48e

Attributes

reg_key
3a89e7585d94d684ad793985a8f8b48e
splitter
|'|'|

Targets

- Target
  
  c34be82d4d26914808ef38f10338c6dc66da3179e70319a2362c387f770b288fN
- Size
  
  64KB
- MD5
  
  ab351ab86e32f9936c7943a397eba860
- SHA1
  
  b11324109a190f06c068cc36d8972abd6f96fbf6
- SHA256
  
  c34be82d4d26914808ef38f10338c6dc66da3179e70319a2362c387f770b288f
- SHA512
  
  a8934e43aa1ae58ba07885419904cfada12b5ef99093b74d775c8993f5c32a8c413ea1af88ebf8e983c10e1ebd7daf2acba45d0e917365415f64de15e13055dc
- SSDEEP
  
  768:t+w1rw9MVg/KgUA1M69FSXOfsJ8LpG8K78AQdc/LPNX2iFJNgl:x/td4toX+sJqA8K78AiKzNrJNgl
Score

10^/10

njrat cleno evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratclenoevasionpersistenceprivilege_escalationtrojan

behavioral2

njratclenoevasionpersistenceprivilege_escalationtrojan