njrat | 1275aa3de74112f8fd4aa2bd856fccb732cf337edadc3e92a7e11b732775f53e | Triage

Sharing

General

Target

ft.server.exe
Size

37KB
Sample

241126-rfjjks1jcr
MD5

e481569ecba8befd9971a1644b1a6f0d
SHA1

e22e7b39866702efd0772fa96511ff871ad50781
SHA256

1275aa3de74112f8fd4aa2bd856fccb732cf337edadc3e92a7e11b732775f53e
SHA512

6ca77b99afebca543006c3e7dab63a24059a4d5cc18cd6fd8d2fe1a9c864823a3789a90ce4e94d2d67523bbd9a006ab487b62f44a8bf3bd5d985a5a0744d4191
SSDEEP

384:yINyQilEhHeTnMGiyMTp4vrijPMIvrAF+rMRTyN/0L+EcoinblneHQM3epzX/Nrj:1NHSMGxMTp4ubM+rM+rMRa8Nudrt

Score

10^/10

njrat discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

C2

7.tcp.eu.ngrok.io:12891

Mutex

04bb0b110981cae57c5751025fdf1d83

Attributes

reg_key
04bb0b110981cae57c5751025fdf1d83
splitter
|'|'|

Targets

- Target
  
  ft.server.exe
- Size
  
  37KB
- MD5
  
  e481569ecba8befd9971a1644b1a6f0d
- SHA1
  
  e22e7b39866702efd0772fa96511ff871ad50781
- SHA256
  
  1275aa3de74112f8fd4aa2bd856fccb732cf337edadc3e92a7e11b732775f53e
- SHA512
  
  6ca77b99afebca543006c3e7dab63a24059a4d5cc18cd6fd8d2fe1a9c864823a3789a90ce4e94d2d67523bbd9a006ab487b62f44a8bf3bd5d985a5a0744d4191
- SSDEEP
  
  384:yINyQilEhHeTnMGiyMTp4vrijPMIvrAF+rMRTyN/0L+EcoinblneHQM3epzX/Nrj:1NHSMGxMTp4ubM+rM+rMRa8Nudrt
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation