njrat | 06d377125a4e24ce83f0f393808c341d6e5273923b21e6c98d5f91597ed2b0c7 | Triage

Sharing

General

Target

06d377125a4e24ce83f0f393808c341d6e5273923b21e6c98d5f91597ed2b0c7N.exe
Size

863KB
Sample

241128-qszkwsvkep
MD5

0c1dd5cc8d2c0450a84fb221c575f170
SHA1

66dbb24a53a4b28c80cd91283fa1028f4b4f98b9
SHA256

06d377125a4e24ce83f0f393808c341d6e5273923b21e6c98d5f91597ed2b0c7
SHA512

b130e6fcfb05cbe71393b6a11957d1455e8daa499570dc79461c5cb0c853d66aca63f435da3606af51d6189ab229cc76bc3845cbb0eb22c73f198819f01da4f0
SSDEEP

12288:q4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgav7o6Fq9MmCS:q4lavt0LkLL9IMixoEgeajBFq9MmCS

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

10.10.10.10:5552

Mutex

0dc24807523d3cd24b54cd0996e4c49b

Attributes

reg_key
0dc24807523d3cd24b54cd0996e4c49b
splitter
|'|'|

Targets

- Target
  
  06d377125a4e24ce83f0f393808c341d6e5273923b21e6c98d5f91597ed2b0c7N.exe
- Size
  
  863KB
- MD5
  
  0c1dd5cc8d2c0450a84fb221c575f170
- SHA1
  
  66dbb24a53a4b28c80cd91283fa1028f4b4f98b9
- SHA256
  
  06d377125a4e24ce83f0f393808c341d6e5273923b21e6c98d5f91597ed2b0c7
- SHA512
  
  b130e6fcfb05cbe71393b6a11957d1455e8daa499570dc79461c5cb0c853d66aca63f435da3606af51d6189ab229cc76bc3845cbb0eb22c73f198819f01da4f0
- SSDEEP
  
  12288:q4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgav7o6Fq9MmCS:q4lavt0LkLL9IMixoEgeajBFq9MmCS
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- UAC bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan