njrat | 188ba2b83622d600b04003888d1aca9d50f3ce87406dfcf328895db6c489a26f | Triage

Sharing

General

Target

4951d592fac59ef8005596d2af5d116b.bin
Size

34KB
Sample

241227-blnsgsxndy
MD5

e7abb8cc9df839ca35ff23f879172e8f
SHA1

ccdd65abb03751c1ce7fb7c1a04474a98c547426
SHA256

188ba2b83622d600b04003888d1aca9d50f3ce87406dfcf328895db6c489a26f
SHA512

46b0f646a3a4fc2952707d35082a31afefc83e8cdfdb6d975bdc4c70c475c834e7b524c02cb672e7f8647c9d0765f8322424ff9e001eada8c6829c1305a5e3cc
SSDEEP

768:qpC6Ky2oWZ5QuoVaPJCDEYrBU6iuD/J2Wb72YahwJWrgCfe5:qpeobuo5DXrBgW1ahwUrgCfk

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

company-telecom.gl.at.ply.gg:42876

Mutex

445c7762b8f06a76352fcac2e22df159

Attributes

reg_key
445c7762b8f06a76352fcac2e22df159
splitter
|'|'|

Targets

- Target
  
  ef022f571bbe78532cc1d1d09689470933f629f5e3775929f8926d7b51e6f122.exe
- Size
  
  93KB
- MD5
  
  4951d592fac59ef8005596d2af5d116b
- SHA1
  
  536ab7195afefb6c8947a86b10adb8d0461f7115
- SHA256
  
  ef022f571bbe78532cc1d1d09689470933f629f5e3775929f8926d7b51e6f122
- SHA512
  
  3f551f1b653764dae9d75dbdf764389786a6004ef2c49f3c7ba81bb4412adc7c8c3315649e4c5a8f970b3f185f67e6f04bacf1264f233225511d45cb75d20ff1
- SSDEEP
  
  1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation