njrat | 71b06613ca38ea9b67aead75aa5d042149d653119708c8083d81d26d9d70ed6d | Triage

Sharing

General

Target

71b06613ca38ea9b67aead75aa5d042149d653119708c8083d81d26d9d70ed6d
Size

28KB
Sample

241220-bwb7fawnep
MD5

07e30f93dcbe3cc726a96554952c34df
SHA1

3bcdef674d3bdb39328afd088f9f23a4cb4c0671
SHA256

71b06613ca38ea9b67aead75aa5d042149d653119708c8083d81d26d9d70ed6d
SHA512

e0bfd4413d47b5eb1f8bf0dd44f6cb28719896f23047022ea6206900ef826449f9eb8644276d1ad75c77db433c72fef1a0fd133bffb1ddcd9707537f7b4aa40c
SSDEEP

384:W8EBl7Bvgk4Xe0elD5FochNGemqDGb3neUEGBsbh0w4wlAokw9OhgOL1vYRGOZz5:u7Kk4XePlFXYq6bneWBKh0p29SgR8c

Score

10^/10

njrat pool live tour discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

pool live tour

C2

127.0.0.1:1177

Mutex

cc6885fb771802b45c9dcc628f9ad989

Attributes

reg_key
cc6885fb771802b45c9dcc628f9ad989
splitter
|'|'|

Targets

- Target
  
  71b06613ca38ea9b67aead75aa5d042149d653119708c8083d81d26d9d70ed6d
- Size
  
  28KB
- MD5
  
  07e30f93dcbe3cc726a96554952c34df
- SHA1
  
  3bcdef674d3bdb39328afd088f9f23a4cb4c0671
- SHA256
  
  71b06613ca38ea9b67aead75aa5d042149d653119708c8083d81d26d9d70ed6d
- SHA512
  
  e0bfd4413d47b5eb1f8bf0dd44f6cb28719896f23047022ea6206900ef826449f9eb8644276d1ad75c77db433c72fef1a0fd133bffb1ddcd9707537f7b4aa40c
- SSDEEP
  
  384:W8EBl7Bvgk4Xe0elD5FochNGemqDGb3neUEGBsbh0w4wlAokw9OhgOL1vYRGOZz5:u7Kk4XePlFXYq6bneWBKh0p29SgR8c
Score

10^/10

njrat pool live tour discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

pool live tournjrat

behavioral1

njratpool live tourdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation