njrat | c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f | Triage

Sharing

General

Target

c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN
Size

37KB
Sample

241028-kafr6sveln
MD5

0e78a49bf12394a06cf511f72d76c040
SHA1

6bac7cc2f03a22654151501a02570b41a9db4365
SHA256

c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
SHA512

f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962
SSDEEP

384:ckaIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXV2:fFmV10b3+LCtCViVrM+rMRa8Nuzyt

Score

10^/10

njrat man discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Man

C2

0.tcp.eu.ngrok.io:11347

Mutex

658861a468f9c892637f296b375f895a

Attributes

reg_key
658861a468f9c892637f296b375f895a
splitter
|'|'|

Targets

- Target
  
  c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN
- Size
  
  37KB
- MD5
  
  0e78a49bf12394a06cf511f72d76c040
- SHA1
  
  6bac7cc2f03a22654151501a02570b41a9db4365
- SHA256
  
  c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
- SHA512
  
  f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962
- SSDEEP
  
  384:ckaIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXV2:fFmV10b3+LCtCViVrM+rMRa8Nuzyt
Score

10^/10

njrat man discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratmandiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation