njrat | 263a3b04d6cc97c62f984c326ffa98ba38b077e06a9c3d4b79d734c34ceb30ee | Triage

Sharing

General

Target

263a3b04d6cc97c62f984c326ffa98ba38b077e06a9c3d4b79d734c34ceb30eeN.exe
Size

55KB
Sample

241126-flcgnsskfl
MD5

505c5271b804039b329f346d550e4590
SHA1

0583bff4aef09b6698e6903118568ade640252d9
SHA256

263a3b04d6cc97c62f984c326ffa98ba38b077e06a9c3d4b79d734c34ceb30ee
SHA512

a6ac8e886dfcae0dea31e83df7c702be23e6c39c2ece4a7da3d31f3c8fbb9aa503df78bd99f28dedde5bedef8185ba498a139dea73dc5cf1b0a1dc4e88cc7daf
SSDEEP

1536:SXJYUmUYaB3Ky8ibpUfR/WViL8cIbJDLtff:WYe5EyNbkuVioBd9ff

Score

10^/10

njrat 1 discovery execution persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

1

C2

172.0.0.1:11111

94.131.109.101:11111

Mutex

bea40e08f77dcbe9528c9454b4346452

Attributes

reg_key
bea40e08f77dcbe9528c9454b4346452
splitter
|'|'|

Targets

- Target
  
  263a3b04d6cc97c62f984c326ffa98ba38b077e06a9c3d4b79d734c34ceb30eeN.exe
- Size
  
  55KB
- MD5
  
  505c5271b804039b329f346d550e4590
- SHA1
  
  0583bff4aef09b6698e6903118568ade640252d9
- SHA256
  
  263a3b04d6cc97c62f984c326ffa98ba38b077e06a9c3d4b79d734c34ceb30ee
- SHA512
  
  a6ac8e886dfcae0dea31e83df7c702be23e6c39c2ece4a7da3d31f3c8fbb9aa503df78bd99f28dedde5bedef8185ba498a139dea73dc5cf1b0a1dc4e88cc7daf
- SSDEEP
  
  1536:SXJYUmUYaB3Ky8ibpUfR/WViL8cIbJDLtff:WYe5EyNbkuVioBd9ff
Score

10^/10

njrat 1 discovery execution persistence trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrat1discoveryexecutionpersistencetrojan

behavioral2

njrat1discoveryexecutionpersistencetrojan