njrat | d34abc3c57ef631e518b3d394be349a2eec8165079094f9e6873ec9452eedc1f | Triage

Sharing

General

Target

d34abc3c57ef631e518b3d394be349a2eec8165079094f9e6873ec9452eedc1fN
Size

32KB
Sample

241022-jfj64sthma
MD5

c29ef39a7f68e2814d8e5fbc478ab300
SHA1

db9f8313ebad749f053a2407cfb4e10ac09f3d3e
SHA256

d34abc3c57ef631e518b3d394be349a2eec8165079094f9e6873ec9452eedc1f
SHA512

61adb1be14c219b6706cd40f5207588ff11ff8bbcef02f782b8c59279810a874ef24dacfbd93c957cf1a0ea5dc40497242aaed0dbf79407733619c4c22defb63
SSDEEP

384:9+5o4U+mVQQyQJsixtePRuRMNFPIk+TWq4lDModg9TdFpyFEIGsJjwE7UMcrie4C:0uV4kteSspiouDbEEIGfRi+f

Score

10^/10

njrat hnz-shop discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Botnet

HNZ-shop

Mutex

f385d8dcb5c800d47c63cbb487c6cade

Attributes

reg_key
f385d8dcb5c800d47c63cbb487c6cade

Targets

- Target
  
  d34abc3c57ef631e518b3d394be349a2eec8165079094f9e6873ec9452eedc1fN
- Size
  
  32KB
- MD5
  
  c29ef39a7f68e2814d8e5fbc478ab300
- SHA1
  
  db9f8313ebad749f053a2407cfb4e10ac09f3d3e
- SHA256
  
  d34abc3c57ef631e518b3d394be349a2eec8165079094f9e6873ec9452eedc1f
- SHA512
  
  61adb1be14c219b6706cd40f5207588ff11ff8bbcef02f782b8c59279810a874ef24dacfbd93c957cf1a0ea5dc40497242aaed0dbf79407733619c4c22defb63
- SSDEEP
  
  384:9+5o4U+mVQQyQJsixtePRuRMNFPIk+TWq4lDModg9TdFpyFEIGsJjwE7UMcrie4C:0uV4kteSspiouDbEEIGfRi+f
Score

10^/10

njrat hnz-shop discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathnz-shopdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan