njrat | 4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2 | Triage

Sharing

General

Target

4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N
Size

543KB
Sample

240930-qmzzga1gmf
MD5

e0645a7fcb592dab2658f800888693a0
SHA1

123bedbc6e4af12908f4ef59fca1ad1af262ffb9
SHA256

4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2
SHA512

62b5c98141db209a8f4f7c88be22893c85c8d23d838d1f65dcd9d3284b19bba737e75ab5e1fc41aab813f7348799d6d4ec5f5a5f49b1153328f5c3bfc93bcca0
SSDEEP

12288:yVQIBRKed0Oa7JHveGg3bdd54VBwKEjA+8e5OXhOSJDVLlwHzz3k9Lac:yhBRKedW7JHveGg3bdv4VBwKEjJ8e5O/

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

22.ip.gl.ply.gg:57731

Mutex

32ce84f74d25f1e71aac67667a2c8d24

Attributes

reg_key
32ce84f74d25f1e71aac67667a2c8d24
splitter
|'|'|

Targets

- Target
  
  4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N
- Size
  
  543KB
- MD5
  
  e0645a7fcb592dab2658f800888693a0
- SHA1
  
  123bedbc6e4af12908f4ef59fca1ad1af262ffb9
- SHA256
  
  4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2
- SHA512
  
  62b5c98141db209a8f4f7c88be22893c85c8d23d838d1f65dcd9d3284b19bba737e75ab5e1fc41aab813f7348799d6d4ec5f5a5f49b1153328f5c3bfc93bcca0
- SSDEEP
  
  12288:yVQIBRKed0Oa7JHveGg3bdd54VBwKEjA+8e5OXhOSJDVLlwHzz3k9Lac:yhBRKedW7JHveGg3bdv4VBwKEjJ8e5O/
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan