njrat | 430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267 | Triage

Sharing

General

Target

Server.exe
Size

93KB
Sample

241213-tsrf3atpbz
MD5

77e8ae03f54ed1ce413314dbb8e00435
SHA1

398ce9204237c30280dce2f3d6cfed34946383c0
SHA256

430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267
SHA512

6a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159
SSDEEP

768:gY3wI7yZnDQMMpAZrGSt6udttXy4sahkGJiXxrjEtCdnl2pi1Rz4Rk3wsGdpTgS7:II+ZD3rGWNd7dhkhjEwzGi1dDoDTgS

Score

10^/10

njrat noip discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

noip

C2

hakim32.ddns.net:2000

mahmoudabu9pos.ddns.net:27005

Mutex

fdce5dfdbb5ec4d4d26d1b02578ff07b

Attributes

reg_key
fdce5dfdbb5ec4d4d26d1b02578ff07b
splitter
|'|'|

Targets

- Target
  
  Server.exe
- Size
  
  93KB
- MD5
  
  77e8ae03f54ed1ce413314dbb8e00435
- SHA1
  
  398ce9204237c30280dce2f3d6cfed34946383c0
- SHA256
  
  430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267
- SHA512
  
  6a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159
- SSDEEP
  
  768:gY3wI7yZnDQMMpAZrGSt6udttXy4sahkGJiXxrjEtCdnl2pi1Rz4Rk3wsGdpTgS7:II+ZD3rGWNd7dhkhjEwzGi1dDoDTgS
Score

10^/10

njrat noip discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratnoipdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation