njrat | 16d8c0cfac3c43e1d17313f4334e1bd2a70f5a6e5fc0988f6d6fbf7d0e81fa9a | Triage

Sharing

General

Target

16d8c0cfac3c43e1d17313f4334e1bd2a70f5a6e5fc0988f6d6fbf7d0e81fa9aN
Size

23KB
Sample

241004-a971lawapm
MD5

729a012fd89a474cd391f7f228146e70
SHA1

c8cdf2d137b3f72f3d6ae84335fbb925bbcb67e0
SHA256

16d8c0cfac3c43e1d17313f4334e1bd2a70f5a6e5fc0988f6d6fbf7d0e81fa9a
SHA512

7b8ff9a4b2c29401aad98b63089bb790459905ecf354bd3a101ad090d601587d73e20d72b2fa8f0a863eb22878772e812db945c6b79cdf2f6130dbca983aff93
SSDEEP

384:O9W/7X6YrGVIhIoN88oim4OszR46vg5Uhc2bOnimRvR6JZlbw8hqIusZzZRSi:HYkiDN4JERpcnuI

Score

10^/10

njrat facebook hack discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Facebook Hack

C2

by-sabotage123.duckdns.org:1177

Mutex

78ad4d6586800f53d998e03fcce6607b

Attributes

reg_key
78ad4d6586800f53d998e03fcce6607b
splitter
|'|'|

Targets

- Target
  
  16d8c0cfac3c43e1d17313f4334e1bd2a70f5a6e5fc0988f6d6fbf7d0e81fa9aN
- Size
  
  23KB
- MD5
  
  729a012fd89a474cd391f7f228146e70
- SHA1
  
  c8cdf2d137b3f72f3d6ae84335fbb925bbcb67e0
- SHA256
  
  16d8c0cfac3c43e1d17313f4334e1bd2a70f5a6e5fc0988f6d6fbf7d0e81fa9a
- SHA512
  
  7b8ff9a4b2c29401aad98b63089bb790459905ecf354bd3a101ad090d601587d73e20d72b2fa8f0a863eb22878772e812db945c6b79cdf2f6130dbca983aff93
- SSDEEP
  
  384:O9W/7X6YrGVIhIoN88oim4OszR46vg5Uhc2bOnimRvR6JZlbw8hqIusZzZRSi:HYkiDN4JERpcnuI
Score

10^/10

njrat facebook hack discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

facebook hacknjrat

behavioral1

njratfacebook hackdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan