njrat | 5ce9205b64a51a7adfb8bdeaa435a236c4494ea48807f78908d23d22dfab3d59 | Triage

Sharing

General

Target

5ce9205b64a51a7adfb8bdeaa435a236c4494ea48807f78908d23d22dfab3d59N
Size

348KB
Sample

241005-3ek7ka1ajh
MD5

5a4e27541341d772ee6d16fab28c8ea0
SHA1

1b3e1a82c65232771248f81f98775233570a1f90
SHA256

5ce9205b64a51a7adfb8bdeaa435a236c4494ea48807f78908d23d22dfab3d59
SHA512

f038346a626020bae8280ec5faa64cb9ab1c6ccccbe902d72adf44925a815de422816d1b66caf9a1e6ca73e89ce70b9413334861418db09507f39884a3956e38
SSDEEP

6144:cLapjj8Mr113WaVplAFM9TXR1SHOCW4gGrPP5PbwL54jl59TBWAzNh:cLapjj8Mr113WaVy4XTfCWTGrPxbs54q

Score

10^/10

njrat hacked by van discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed by van

C2

devilboydevilhere.strangled.net:5552

Mutex

4fe01d78ee168446922dd4aa533f849b

Attributes

reg_key
4fe01d78ee168446922dd4aa533f849b
splitter
|'|'|

Targets

- Target
  
  5ce9205b64a51a7adfb8bdeaa435a236c4494ea48807f78908d23d22dfab3d59N
- Size
  
  348KB
- MD5
  
  5a4e27541341d772ee6d16fab28c8ea0
- SHA1
  
  1b3e1a82c65232771248f81f98775233570a1f90
- SHA256
  
  5ce9205b64a51a7adfb8bdeaa435a236c4494ea48807f78908d23d22dfab3d59
- SHA512
  
  f038346a626020bae8280ec5faa64cb9ab1c6ccccbe902d72adf44925a815de422816d1b66caf9a1e6ca73e89ce70b9413334861418db09507f39884a3956e38
- SSDEEP
  
  6144:cLapjj8Mr113WaVplAFM9TXR1SHOCW4gGrPP5PbwL54jl59TBWAzNh:cLapjj8Mr113WaVy4XTfCWTGrPxbs54q
Score

10^/10

njrat hacked by van discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathacked by vandiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan