njrat | 9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4 | Triage

Sharing

General

Target

9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4
Size

691KB
Sample

241022-bhv3dszdlp
MD5

cb388bfc451183d5e8f4dae5bcaa42c5
SHA1

7c1979d5b07d61be4e15de5a028d8631ee75c413
SHA256

9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4
SHA512

46f65cd29c4bf35f25507b7aa25dddfb28283f5981607b41e87e164bb6cdc9d56d1b66ae63b4e88bcb624bf86687d58b6a8266102d73b170bf55aff438d9c106
SSDEEP

12288:NLMEalqxXblqoRX5qbfphLxaOzOpSX0+Tlbsl+YQSn:ZqaXNabfphLxanSk+xTpSn

Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:888

Mutex

129295b2f84871f6432468d2e8802e81

Attributes

reg_key
129295b2f84871f6432468d2e8802e81
splitter
|'|'|

Targets

- Target
  
  9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4
- Size
  
  691KB
- MD5
  
  cb388bfc451183d5e8f4dae5bcaa42c5
- SHA1
  
  7c1979d5b07d61be4e15de5a028d8631ee75c413
- SHA256
  
  9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4
- SHA512
  
  46f65cd29c4bf35f25507b7aa25dddfb28283f5981607b41e87e164bb6cdc9d56d1b66ae63b4e88bcb624bf86687d58b6a8266102d73b170bf55aff438d9c106
- SSDEEP
  
  12288:NLMEalqxXblqoRX5qbfphLxaOzOpSX0+Tlbsl+YQSn:ZqaXNabfphLxanSk+xTpSn
Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackedevasionpersistenceprivilege_escalationtrojan