njrat | 12b416b5429b719231eb729b6bd602e69085677616cd47aa0595d42161d5a485 | Triage

Sharing

General

Target

12b416b5429b719231eb729b6bd602e69085677616cd47aa0595d42161d5a485N.exe
Size

584KB
Sample

241127-1lwkrs1rfv
MD5

488106a5ca274bef94d5dd8c8cd23060
SHA1

1e291b498ff752b54a93aeb70b0819d2f439b088
SHA256

12b416b5429b719231eb729b6bd602e69085677616cd47aa0595d42161d5a485
SHA512

507f8b16e4d015bb47ec9bab7c48a4be533b50987bd912fe487ae1c6bab2149c1cac12de12e8c57971147ac677daa7c828f5f878c0bfc55f6c44a882f1c35163
SSDEEP

12288:mqEfpOSxyOF6q/68tLZL+w2hK3x8HPObaoE3anW2YrdA:mqSOStFYA+Kh8HPObfEqner

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

aboudmonster.no-ip.biz:1177

Mutex

0e8ba634604a9137fcb419c959897c24

Attributes

reg_key
0e8ba634604a9137fcb419c959897c24
splitter
|'|'|

Targets

- Target
  
  12b416b5429b719231eb729b6bd602e69085677616cd47aa0595d42161d5a485N.exe
- Size
  
  584KB
- MD5
  
  488106a5ca274bef94d5dd8c8cd23060
- SHA1
  
  1e291b498ff752b54a93aeb70b0819d2f439b088
- SHA256
  
  12b416b5429b719231eb729b6bd602e69085677616cd47aa0595d42161d5a485
- SHA512
  
  507f8b16e4d015bb47ec9bab7c48a4be533b50987bd912fe487ae1c6bab2149c1cac12de12e8c57971147ac677daa7c828f5f878c0bfc55f6c44a882f1c35163
- SSDEEP
  
  12288:mqEfpOSxyOF6q/68tLZL+w2hK3x8HPObaoE3anW2YrdA:mqSOStFYA+Kh8HPObfEqner
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan