njrat | d31468f4f668dcfc7630378ea31a4b2a724f924a7da87fa07738da8308aee2e2 | Triage

Sharing

General

Target

d31468f4f668dcfc7630378ea31a4b2a724f924a7da87fa07738da8308aee2e2N
Size

2.5MB
Sample

241007-mx2z2a1emq
MD5

2ca9585c7d3554321723cfab60ade3c0
SHA1

62b0a7357607fb7266fb69db4525868cebad74ce
SHA256

d31468f4f668dcfc7630378ea31a4b2a724f924a7da87fa07738da8308aee2e2
SHA512

1e069595a79b6305c5656c3ce5ae856ca9f22ebce86dc5bb411d9ced1fc5c5b36c9f170d2133e4e43adfbe469a6f5d3687767aeb28af22faba430f93bc5bc4d9
SSDEEP

49152:C8botmhl9Dd/byTKv0hwxetvSWNv/cL85m:P

Score

10^/10

njrat user discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

user

C2

windowssistem.duckdns.org:5020

Mutex

cff070eafb77e420cce40ff9e3f8a491

Attributes

reg_key
cff070eafb77e420cce40ff9e3f8a491
splitter
|'|'|

Targets

- Target
  
  d31468f4f668dcfc7630378ea31a4b2a724f924a7da87fa07738da8308aee2e2N
- Size
  
  2.5MB
- MD5
  
  2ca9585c7d3554321723cfab60ade3c0
- SHA1
  
  62b0a7357607fb7266fb69db4525868cebad74ce
- SHA256
  
  d31468f4f668dcfc7630378ea31a4b2a724f924a7da87fa07738da8308aee2e2
- SHA512
  
  1e069595a79b6305c5656c3ce5ae856ca9f22ebce86dc5bb411d9ced1fc5c5b36c9f170d2133e4e43adfbe469a6f5d3687767aeb28af22faba430f93bc5bc4d9
- SSDEEP
  
  49152:C8botmhl9Dd/byTKv0hwxetvSWNv/cL85m:P
Score

10^/10

njrat user discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratuserdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan