njrat | 13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755 | Triage

Sharing

General

Target

Latest Remcos + Crypter.zip
Size

31.9MB
Sample

241006-dvfvca1emm
MD5

0bda1e6247a58f3eca5eed3d111ffa88
SHA1

03102f5ebf71d2db33f5a869142ebce9b8f6ecf8
SHA256

13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755
SHA512

b475188892d952324416e33604eb0f57457075e74aeeb4975fa4275ca2a72a846cca604529fe053a02b0b04156c0cd3c862caaf4da35fd754ea5b09108951ece
SSDEEP

786432:0kr3y08vKrqKC+jvQWCvbTzR2xEVANyEWQD93MV:0wClGC+MWAbTcSA8EWQR3W

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Targets

- Target
  
  Latest Remcos + Crypter.zip
- Size
  
  31.9MB
- MD5
  
  0bda1e6247a58f3eca5eed3d111ffa88
- SHA1
  
  03102f5ebf71d2db33f5a869142ebce9b8f6ecf8
- SHA256
  
  13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755
- SHA512
  
  b475188892d952324416e33604eb0f57457075e74aeeb4975fa4275ca2a72a846cca604529fe053a02b0b04156c0cd3c862caaf4da35fd754ea5b09108951ece
- SSDEEP
  
  786432:0kr3y08vKrqKC+jvQWCvbTzR2xEVANyEWQD93MV:0wClGC+MWAbTcSA8EWQR3W
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan vmprotect
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojanvmprotect