njrat | b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0 | Triage

Sharing

General

Target

b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe
Size

300KB
Sample

241203-18altaspfl
MD5

01270ff6e341bbbce727b7b08c35fbf0
SHA1

049d0466652df9730972ee4351fcaf5f57042f2f
SHA256

b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0
SHA512

9d87f8f2e7fe25aac9c63528c0f1a4dd36eae0d183756bb85456f1e8aaee855ab603522353fe7446139b1d0f4aa0b46cb4ca96f2b8da724a5bf6abb0d2e09e4c
SSDEEP

1536:vDvE9TzQlzEyQ3FKeh+cMGgdP2WW5MeGD7BKb7+it2SDS29xlqU3u:vDvYgcscId+WWH2cDS29xlqU3u

Score

10^/10

njrat nano discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

nano

C2

haraga.no-ip.org:5552

Mutex

9685b74638ccc581030bfdb825e77a1e

Attributes

reg_key
9685b74638ccc581030bfdb825e77a1e
splitter
|'|'|

Targets

- Target
  
  b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe
- Size
  
  300KB
- MD5
  
  01270ff6e341bbbce727b7b08c35fbf0
- SHA1
  
  049d0466652df9730972ee4351fcaf5f57042f2f
- SHA256
  
  b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0
- SHA512
  
  9d87f8f2e7fe25aac9c63528c0f1a4dd36eae0d183756bb85456f1e8aaee855ab603522353fe7446139b1d0f4aa0b46cb4ca96f2b8da724a5bf6abb0d2e09e4c
- SSDEEP
  
  1536:vDvE9TzQlzEyQ3FKeh+cMGgdP2WW5MeGD7BKb7+it2SDS29xlqU3u:vDvYgcscId+WWH2cDS29xlqU3u
Score

10^/10

njrat nano discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratnanodiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratnanodiscoveryevasionpersistenceprivilege_escalationtrojan