njrat | a426c17474c33a3bc9f5088bebbe240e211696e33e5417a99615d04a5ff55fb3 | Triage

Sharing

General

Target

8d2dc9f89bbf0657829b0e6cc54e4df0N.exe
Size

2.0MB
Sample

241114-gp4k1avhkr
MD5

8d2dc9f89bbf0657829b0e6cc54e4df0
SHA1

3e715c611dfd6785cfe456d61b91f2b71ed9f629
SHA256

a426c17474c33a3bc9f5088bebbe240e211696e33e5417a99615d04a5ff55fb3
SHA512

b5421c8f3401b7e59b5e76967efef13875fc66a9d863e57e38e146c6528c73d8444dcfd0d61aab922367f14beee062919db6c1d50668660115da3d1b6b8a4b36
SSDEEP

24576:iKC8qbbQzLEGplivuaN7oCXmDNfwG92pmbcaQMwaTqYfwug1L:0rbUXEGpliz7oCWDPcacY

Score

10^/10

njrat 复复美制美 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

复复美制美

C2

hakim32.ddns.net:2000

147.185.221.21:33869

Mutex

5d9b545ac4ee41f57768dba98a8ebbb2

Attributes

reg_key
5d9b545ac4ee41f57768dba98a8ebbb2
splitter
|'|'|

Targets

- Target
  
  8d2dc9f89bbf0657829b0e6cc54e4df0N.exe
- Size
  
  2.0MB
- MD5
  
  8d2dc9f89bbf0657829b0e6cc54e4df0
- SHA1
  
  3e715c611dfd6785cfe456d61b91f2b71ed9f629
- SHA256
  
  a426c17474c33a3bc9f5088bebbe240e211696e33e5417a99615d04a5ff55fb3
- SHA512
  
  b5421c8f3401b7e59b5e76967efef13875fc66a9d863e57e38e146c6528c73d8444dcfd0d61aab922367f14beee062919db6c1d50668660115da3d1b6b8a4b36
- SSDEEP
  
  24576:iKC8qbbQzLEGplivuaN7oCXmDNfwG92pmbcaQMwaTqYfwug1L:0rbUXEGpliz7oCWDPcacY
Score

10^/10

njrat 复复美制美 discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrat复复美制美discoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njrat复复美制美discoveryevasionpersistenceprivilege_escalationtrojan