njrat | f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903c | Triage

Sharing

General

Target

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN
Size

206KB
Sample

241030-kc5t3s1lap
MD5

2f8441bc4045d18e7d474b1df005b570
SHA1

000e2f70084f4c26163603f7099f1f172a903566
SHA256

f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903c
SHA512

4c7ef5504862ed94ae5cfdb2380cc47ef99c9cdf0225e49dbafa228040b28214ba46b93414f24e8b80e1ec865278c1477b5b87d74a8594777bec268ed61315ab
SSDEEP

1536:NdF6Y9JIXfLrhoCMI7C98AIaAekdAGDYEasJqkUssXOcfaAJzYU4r/1CbSYlIePV:NR2FoCMI2aAIam1asJjUfFOderYRHQ

Score

10^/10

njrat discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Targets

- Target
  
  f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903cN
- Size
  
  206KB
- MD5
  
  2f8441bc4045d18e7d474b1df005b570
- SHA1
  
  000e2f70084f4c26163603f7099f1f172a903566
- SHA256
  
  f5b4c4a0edaf3db073165aaf9174e30daee1898180fec315258ad55e71e4903c
- SHA512
  
  4c7ef5504862ed94ae5cfdb2380cc47ef99c9cdf0225e49dbafa228040b28214ba46b93414f24e8b80e1ec865278c1477b5b87d74a8594777bec268ed61315ab
- SSDEEP
  
  1536:NdF6Y9JIXfLrhoCMI7C98AIaAekdAGDYEasJqkUssXOcfaAJzYU4r/1CbSYlIePV:NR2FoCMI2aAIam1asJjUfFOderYRHQ
Score

10^/10

njrat discovery evasion persistence privilege_escalation spyware stealer trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

behavioral2

discoveryspywarestealer