njrat | a901e9357fd930774796430dbfbf9d77a35584b50ab478f69a482bf212f75792 | Triage

Sharing

General

Target

Remcos-Professional-Cracked-By-Alcatraz3222-master (1).zip
Size

17.3MB
Sample

241006-25m86svflc
MD5

94aabe33b1c788d3407703b7be909861
SHA1

59b02e42522f06b3128edebf67e369aca31ee39e
SHA256

a901e9357fd930774796430dbfbf9d77a35584b50ab478f69a482bf212f75792
SHA512

62d3e2d361d0f03885747a83c81ca1e1e73dc03a44f88a8cd7975086a0d3205765b86a743eea844a2f7841f0c49d3fb88be999bf41141ed9a086a087228e1f71
SSDEEP

393216:V+Y8LpIcxbEWd4rSrwcJY2sG1l/TTwizV1iBLzCoa+++OvPrT5:gyMwWqrXc+G1l7TwiRI9z8++TT5

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Targets

- Target
  
  Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe
- Size
  
  17.7MB
- MD5
  
  efc159c7cf75545997f8c6af52d3e802
- SHA1
  
  b85bd368c91a13db1c5de2326deb25ad666c24c1
- SHA256
  
  898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
- SHA512
  
  d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d
- SSDEEP
  
  393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx
Score

10^/10

discovery njrat hacked evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan