njrat | 5e2a88dd923a18325792406702d32e3cb057126f946e037bcf34e9f9ba6321cf | Triage

Sharing

General

Target

5e2a88dd923a18325792406702d32e3cb057126f946e037bcf34e9f9ba6321cf.exe
Size

23KB
Sample

241126-nsc1sazjbs
MD5

3549c51a0c4799dc7c7a6a69e1a708a8
SHA1

d8e7d428b90a8e596a9615ba1c43780bbe93e655
SHA256

5e2a88dd923a18325792406702d32e3cb057126f946e037bcf34e9f9ba6321cf
SHA512

f67f6567056a51ce032ea6889d602835d273672328ebdad5fd228a658bf0b3e5a5b24edd6cd955620235e14adf8bbb0d315b1ed2e2ea15f431c4ca9d34259e25
SSDEEP

384:jYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZX4x:swWkti/aeRpcnubx

Score

10^/10

njrat lammer discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

nzweb2008-22511.portmap.host:22511

Mutex

334f132010bbc79a6e7c28a01892af18

Attributes

reg_key
334f132010bbc79a6e7c28a01892af18
splitter
|'|'|

Targets

- Target
  
  5e2a88dd923a18325792406702d32e3cb057126f946e037bcf34e9f9ba6321cf.exe
- Size
  
  23KB
- MD5
  
  3549c51a0c4799dc7c7a6a69e1a708a8
- SHA1
  
  d8e7d428b90a8e596a9615ba1c43780bbe93e655
- SHA256
  
  5e2a88dd923a18325792406702d32e3cb057126f946e037bcf34e9f9ba6321cf
- SHA512
  
  f67f6567056a51ce032ea6889d602835d273672328ebdad5fd228a658bf0b3e5a5b24edd6cd955620235e14adf8bbb0d315b1ed2e2ea15f431c4ca9d34259e25
- SSDEEP
  
  384:jYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZX4x:swWkti/aeRpcnubx
Score

10^/10

njrat lammer discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratlammerdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan