njrat | eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b | Triage

Sharing

General

Target

eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b
Size

876KB
Sample

240929-et5mrazbnr
MD5

d2f1b1af7a46c20e123e0ae887189ff9
SHA1

bed60ed94e966aff0222185c5dfc2449330ec3bf
SHA256

eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b
SHA512

5cb5c610d460bbafb67f8025cd76192028312708027133d0787f194d4582e1146502190ab52d52305ecde8c79be219c28bc813058be80c4d15ab345474fb1550
SSDEEP

12288:E4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUga47X4q9MmCS:E4lavt0LkLL9IMixoEgea4X4q9MmCS

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

10.10.1.11:5552

Mutex

7657c14284185fbd3fb108b43c7467ba

Attributes

reg_key
7657c14284185fbd3fb108b43c7467ba
splitter
|'|'|

Targets

- Target
  
  eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b
- Size
  
  876KB
- MD5
  
  d2f1b1af7a46c20e123e0ae887189ff9
- SHA1
  
  bed60ed94e966aff0222185c5dfc2449330ec3bf
- SHA256
  
  eee08cea677b93199fd1ad83347b8176bde16b3ee99c54f69c06a9e652217d5b
- SHA512
  
  5cb5c610d460bbafb67f8025cd76192028312708027133d0787f194d4582e1146502190ab52d52305ecde8c79be219c28bc813058be80c4d15ab345474fb1550
- SSDEEP
  
  12288:E4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUga47X4q9MmCS:E4lavt0LkLL9IMixoEgea4X4q9MmCS
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- UAC bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan