njrat | 79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2 | Triage

Sharing

General

Target

79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N
Size

1.5MB
Sample

241025-tts2aayqhx
MD5

4e8605fc4f563367bfc6c17b0814f9e0
SHA1

baf0a6501d82494cb3e6787bae049f89348a6bec
SHA256

79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2
SHA512

5ca177c98c54bfb318ac59a4a55a4cc07d0d667e9e48e139d1ec8dded53946345d5b623148cfabb98030ef9e976b30cad429fb62c9c9dd4b25b8930f3c2e41ae
SSDEEP

49152:ZUZMwyarkY6PQ5LeGJO8cH7mO2+Behc3WsP2b2OW:Znw8lRGwVHap+f3Ws+yP

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

legendek.viewdns.net:2228

Mutex

56fe2dd164a1d408bef67d69fd4219dd

Attributes

reg_key
56fe2dd164a1d408bef67d69fd4219dd
splitter
|'|'|

Targets

- Target
  
  79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N
- Size
  
  1.5MB
- MD5
  
  4e8605fc4f563367bfc6c17b0814f9e0
- SHA1
  
  baf0a6501d82494cb3e6787bae049f89348a6bec
- SHA256
  
  79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2
- SHA512
  
  5ca177c98c54bfb318ac59a4a55a4cc07d0d667e9e48e139d1ec8dded53946345d5b623148cfabb98030ef9e976b30cad429fb62c9c9dd4b25b8930f3c2e41ae
- SSDEEP
  
  49152:ZUZMwyarkY6PQ5LeGJO8cH7mO2+Behc3WsP2b2OW:Znw8lRGwVHap+f3Ws+yP
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan