njrat | 233f9f88c16fb185eb91f4afc116b808eb8fa5fd0cf1b3d3a92ec6732c56314b | Triage

Sharing

General

Target

Bootstrapper.exe
Size

19.0MB
Sample

241019-rd7hma1hnl
MD5

4581b2e238f1dad629dc72c168b2be8e
SHA1

74dce1860065aad35cb68115545bdf862bddb775
SHA256

233f9f88c16fb185eb91f4afc116b808eb8fa5fd0cf1b3d3a92ec6732c56314b
SHA512

dcea04ffffdf35107a0cd6998eaef3f91270985c80028c206f59ae7d9b193defb3089826a7d1118391f849618904fdf7e77621348531b711d2eac89f422d132a
SSDEEP

24576:tigOpgzfDfMSCWk6/SCOqZkHIyGigOpgzfDfMSCWk6/SCOqZkHIy:dB5CW9/SCzhycB5CW9/SCzhy

Score

10^/10

njrat hacked defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

86.1.93.186:25565

Mutex

7b8566fe52762c19d1b844b254fc8d30

Attributes

reg_key
7b8566fe52762c19d1b844b254fc8d30
splitter
|'|'|

Targets

- Target
  
  Bootstrapper.exe
- Size
  
  19.0MB
- MD5
  
  4581b2e238f1dad629dc72c168b2be8e
- SHA1
  
  74dce1860065aad35cb68115545bdf862bddb775
- SHA256
  
  233f9f88c16fb185eb91f4afc116b808eb8fa5fd0cf1b3d3a92ec6732c56314b
- SHA512
  
  dcea04ffffdf35107a0cd6998eaef3f91270985c80028c206f59ae7d9b193defb3089826a7d1118391f849618904fdf7e77621348531b711d2eac89f422d132a
- SSDEEP
  
  24576:tigOpgzfDfMSCWk6/SCOqZkHIyGigOpgzfDfMSCWk6/SCOqZkHIy:dB5CW9/SCzhycB5CW9/SCzhy
Score

10^/10

njrat hacked defense_evasion discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Command and Scripting Interpreter

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

defense_evasiondiscoveryevasionpersistenceprivilege_escalation