njrat | c1ab8db613a0687ed5e80ee5a17f9834c3a3ec8aaae92cd77d095778e0c146a1 | Triage

Sharing

General

Target

AnyDesk.exe
Size

5.7MB
Sample

241222-nehn4swnhn
MD5

224648bac4d99c8e0c0910f264fa074d
SHA1

2e5647ee2f33fb4d9a3717b79f3193ee71497d8b
SHA256

c1ab8db613a0687ed5e80ee5a17f9834c3a3ec8aaae92cd77d095778e0c146a1
SHA512

0d56ee13d16b3de26b2c363d2c614c702c78bfc22e7a2711a8ed93b1d9a056054c6821846b2716f424ccd5804cb056f786bbee2da6d2b168b36f1007d0a08772
SSDEEP

98304:NHbbpAhshpV10OE3G6WOgttVHrJqHJOkfFunOeyO3W8/WtwsZ1Jb7pXc/3UQIH9B:NH3LVh6FQbtqeOq3W8/GwsVvNc/kL9Kg

Score

10^/10

njrat fucked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

fucked

C2

hakim32.ddns.net:2000

fat-pads.gl.at.ply.gg:35059

Mutex

148a892b37f45e5773518d8932c75e38

Attributes

reg_key
148a892b37f45e5773518d8932c75e38
splitter
|'|'|

Targets

- Target
  
  AnyDesk.exe
- Size
  
  5.7MB
- MD5
  
  224648bac4d99c8e0c0910f264fa074d
- SHA1
  
  2e5647ee2f33fb4d9a3717b79f3193ee71497d8b
- SHA256
  
  c1ab8db613a0687ed5e80ee5a17f9834c3a3ec8aaae92cd77d095778e0c146a1
- SHA512
  
  0d56ee13d16b3de26b2c363d2c614c702c78bfc22e7a2711a8ed93b1d9a056054c6821846b2716f424ccd5804cb056f786bbee2da6d2b168b36f1007d0a08772
- SSDEEP
  
  98304:NHbbpAhshpV10OE3G6WOgttVHrJqHJOkfFunOeyO3W8/WtwsZ1Jb7pXc/3UQIH9B:NH3LVh6FQbtqeOq3W8/GwsVvNc/kL9Kg
Score

10^/10

njrat fucked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratfuckeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation