njrat | bf6a3c9e2fc15c686a58e2d146a7518e7484b51372dd432a5863bae057623330 | Triage

Sharing

General

Target

bf6a3c9e2fc15c686a58e2d146a7518e7484b51372dd432a5863bae057623330
Size

37KB
Sample

241217-1nklaaypgz
MD5

0a09aa08c401a1c24b8fb8535e16e25a
SHA1

1fc2e9207b54d49c74e9fd3e833cd1dc088022d2
SHA256

bf6a3c9e2fc15c686a58e2d146a7518e7484b51372dd432a5863bae057623330
SHA512

4b4dddb99654be87304a1b1542098c82f95f3f8c35a1d1b19a8a014b29713fb37e87dabc5f24a53d10203b36bd4f9552e97f812951477975ae613d8ea6db1427
SSDEEP

384:hSNBkiy5nDNGRn5IyUvgI1P9h4/C254crAF+rMRTyN/0L+EcoinblneHQM3epzXJ:4O5M5jUv11wq2+crM+rMRa8NuCbet

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Hacked

C2

wbouchraros.theworkpc.com:5552

Mutex

636e3f8f7cbfc871c59e6d158a287b2f

Attributes

reg_key
636e3f8f7cbfc871c59e6d158a287b2f
splitter
|'|'|

Targets

- Target
  
  bf6a3c9e2fc15c686a58e2d146a7518e7484b51372dd432a5863bae057623330
- Size
  
  37KB
- MD5
  
  0a09aa08c401a1c24b8fb8535e16e25a
- SHA1
  
  1fc2e9207b54d49c74e9fd3e833cd1dc088022d2
- SHA256
  
  bf6a3c9e2fc15c686a58e2d146a7518e7484b51372dd432a5863bae057623330
- SHA512
  
  4b4dddb99654be87304a1b1542098c82f95f3f8c35a1d1b19a8a014b29713fb37e87dabc5f24a53d10203b36bd4f9552e97f812951477975ae613d8ea6db1427
- SSDEEP
  
  384:hSNBkiy5nDNGRn5IyUvgI1P9h4/C254crAF+rMRTyN/0L+EcoinblneHQM3epzXJ:4O5M5jUv11wq2+crM+rMRa8NuCbet
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation