njrat | 55c09e2d816cf1cd9dd61aaf5929dde2ad194607013875cec32491865b35216d | Triage

Sharing

General

Target

55c09e2d816cf1cd9dd61aaf5929dde2ad194607013875cec32491865b35216dN
Size

93KB
Sample

241109-qgb1fsvepm
MD5

6c4d2452cf967605051579479de8e3a0
SHA1

980c0088d1b1ee9cd5e7a0dbc614b09d9d893cfb
SHA256

55c09e2d816cf1cd9dd61aaf5929dde2ad194607013875cec32491865b35216d
SHA512

f4f96d101e53179b5224bc29149df11446161e4a93d56928c6c23e718dcc4e3099a76633b51eac64a9e48101f978cf843971cb259772106c08af475cfc28558a
SSDEEP

1536:AUhSyh6zaoFjuFCVR5jEwzGi1dDVDigS:AUKzaujuCRWi1dRH

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

6.tcp.eu.ngrok.io:10665

Mutex

503b153ce98cc50ea4d9ae75c01d9f4e

Attributes

reg_key
503b153ce98cc50ea4d9ae75c01d9f4e
splitter
|'|'|

Targets

- Target
  
  55c09e2d816cf1cd9dd61aaf5929dde2ad194607013875cec32491865b35216dN
- Size
  
  93KB
- MD5
  
  6c4d2452cf967605051579479de8e3a0
- SHA1
  
  980c0088d1b1ee9cd5e7a0dbc614b09d9d893cfb
- SHA256
  
  55c09e2d816cf1cd9dd61aaf5929dde2ad194607013875cec32491865b35216d
- SHA512
  
  f4f96d101e53179b5224bc29149df11446161e4a93d56928c6c23e718dcc4e3099a76633b51eac64a9e48101f978cf843971cb259772106c08af475cfc28558a
- SSDEEP
  
  1536:AUhSyh6zaoFjuFCVR5jEwzGi1dDVDigS:AUKzaujuCRWi1dRH
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation

behavioral2

discoveryevasionpersistenceprivilege_escalation