njrat | 2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1 | Triage

Sharing

General

Target

2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N
Size

531KB
Sample

241109-vl25naxmfw
MD5

5672033192553965f397e00cc5ed2b90
SHA1

4238c1c5240ad9332e58c4bca9305cb3ae57c9eb
SHA256

2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1
SHA512

ef743cbf8060a11748a430b618165ab7885b4d3ff6aca51b50d59ac3ab3a2ec2cc9ad11befd217c76c3124e1d89320e215acc1a42fbc0b838840638b982a284e
SSDEEP

12288:quhrOarWLTR2viEmOG6LZgE5T/j85ZGyOcqz5:qx2HzG6lTb8WyOck5

Score

10^/10

njrat beka discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BEKA

C2

ronymahmoud.casacam.net:1177

Mutex

32bad0fc686dd5769ff8860131056010

Attributes

reg_key
32bad0fc686dd5769ff8860131056010
splitter
|'|'|

Targets

- Target
  
  2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1N
- Size
  
  531KB
- MD5
  
  5672033192553965f397e00cc5ed2b90
- SHA1
  
  4238c1c5240ad9332e58c4bca9305cb3ae57c9eb
- SHA256
  
  2a61cdee5f9d7dd4930aef9774a9bb909fb15e3c62f5dcad5d7c9843ffc4c3b1
- SHA512
  
  ef743cbf8060a11748a430b618165ab7885b4d3ff6aca51b50d59ac3ab3a2ec2cc9ad11befd217c76c3124e1d89320e215acc1a42fbc0b838840638b982a284e
- SSDEEP
  
  12288:quhrOarWLTR2viEmOG6LZgE5T/j85ZGyOcqz5:qx2HzG6lTb8WyOck5
Score

10^/10

njrat beka discovery evasion execution persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratbekadiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

njratbekadiscoveryevasionexecutionpersistenceprivilege_escalationtrojan