njrat | ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027 | Triage

Sharing

General

Target

ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
Size

65KB
Sample

250107-brgalazjfl
MD5

7b6de1f4e80f5f0e56db56f2095ae7a0
SHA1

13ada473813ec380ba5ea8cfac2457a753d88b82
SHA256

ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027
SHA512

7259a557ee2f186887ec0e40c08fa7bf6fe51d7fb6b9a930c5a876afb5c1534efc3bd0b59d454ce2b6b54e914ced687b298c016c2e467dee090cf1c6365085ae
SSDEEP

1536:nIi1xBBZ3ad5Wj9thVmZAl8FL0gam8qUN/ffRaOug:Ii1xBxjanF7aTqUuO9

Score

10^/10

njrat 150430 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

150430

C2

crizzybee.ddns.net:777

Mutex

718ee003d92d9b4d5e6b70f7fca7f400

Attributes

reg_key
718ee003d92d9b4d5e6b70f7fca7f400
splitter
|'|'|

Targets

- Target
  
  ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027N.exe
- Size
  
  65KB
- MD5
  
  7b6de1f4e80f5f0e56db56f2095ae7a0
- SHA1
  
  13ada473813ec380ba5ea8cfac2457a753d88b82
- SHA256
  
  ee2103a5f8e6314618a8dfafe16185d2542cf9ed2ab7cb172bdcdc3b415a9027
- SHA512
  
  7259a557ee2f186887ec0e40c08fa7bf6fe51d7fb6b9a930c5a876afb5c1534efc3bd0b59d454ce2b6b54e914ced687b298c016c2e467dee090cf1c6365085ae
- SSDEEP
  
  1536:nIi1xBBZ3ad5Wj9thVmZAl8FL0gam8qUN/ffRaOug:Ii1xBxjanF7aTqUuO9
Score

10^/10

discovery njrat 150430 evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njrat150430discoveryevasionpersistenceprivilege_escalationtrojan