njrat | e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a | Triage

Sharing

General

Target

e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a
Size

93KB
Sample

241114-ecby4sthnh
MD5

d7526430b723e5b9b90defdb347897d4
SHA1

00c6e39049ebbae9718f16ec6e12c6ddcff15ac3
SHA256

e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a
SHA512

3efa57f9ef73e6349c728406157dcd6b420910e6c41c5e4c4d6460f9c12dbe497dce2ee1a82de118f78c997e579596be8de7ec3d66df20622e036c43ede18afe
SSDEEP

768:hY3EcnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3+sGV:fcxOx6baIa9RZj00ljEwzGi1dDaDxgS

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:6666

Mutex

8a3cf8914d8cac12109f94013603d456

Attributes

reg_key
8a3cf8914d8cac12109f94013603d456
splitter
|'|'|

Targets

- Target
  
  e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a
- Size
  
  93KB
- MD5
  
  d7526430b723e5b9b90defdb347897d4
- SHA1
  
  00c6e39049ebbae9718f16ec6e12c6ddcff15ac3
- SHA256
  
  e8561a2b79ca2be47a6d67e1ea56c05bba0bb82ceada5171b960b4041e98015a
- SHA512
  
  3efa57f9ef73e6349c728406157dcd6b420910e6c41c5e4c4d6460f9c12dbe497dce2ee1a82de118f78c997e579596be8de7ec3d66df20622e036c43ede18afe
- SSDEEP
  
  768:hY3EcnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3+sGV:fcxOx6baIa9RZj00ljEwzGi1dDaDxgS
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation