njrat | 2a1837f12707bb0c3cb62653750004640a029833f7d7790f1d4ce79507a0dd16 | Triage

Sharing

General

Target

536e56b6209a3f0a5893ee64c358beef.exe
Size

118KB
Sample

250107-zm5dmaxrbv
MD5

536e56b6209a3f0a5893ee64c358beef
SHA1

d7ab63e972d7ce34b39b5a2376318f0e0d10598e
SHA256

2a1837f12707bb0c3cb62653750004640a029833f7d7790f1d4ce79507a0dd16
SHA512

977a48a9840dd31c29f4cf68b1bad1bcb54df0c1663bba05785431a499ad84c1d7954414012030e895c76d99fb36ab048257b4cea8c377d23aade01319006f6f
SSDEEP

1536:K1v54X1LIpe+gRJNDYVSPacFyq9Qhu4lR8CMomjI9FUv9r0HHP0Yp9YN:K1h4F8e+yJF2lcguNrjI9FUvGHvX/

Score

10^/10

njrat mooreports discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

MooReports

C2

154.197.69.14:1433

Mutex

6dc05a59fd2afdd42871a13a6d06ab6f

Attributes

reg_key
6dc05a59fd2afdd42871a13a6d06ab6f
splitter
|'|'|

Targets

- Target
  
  536e56b6209a3f0a5893ee64c358beef.exe
- Size
  
  118KB
- MD5
  
  536e56b6209a3f0a5893ee64c358beef
- SHA1
  
  d7ab63e972d7ce34b39b5a2376318f0e0d10598e
- SHA256
  
  2a1837f12707bb0c3cb62653750004640a029833f7d7790f1d4ce79507a0dd16
- SHA512
  
  977a48a9840dd31c29f4cf68b1bad1bcb54df0c1663bba05785431a499ad84c1d7954414012030e895c76d99fb36ab048257b4cea8c377d23aade01319006f6f
- SSDEEP
  
  1536:K1v54X1LIpe+gRJNDYVSPacFyq9Qhu4lR8CMomjI9FUv9r0HHP0Yp9YN:K1h4F8e+yJF2lcguNrjI9FUvGHvX/
Score

10^/10

njrat mooreports discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

mooreportsnjrat

behavioral1

njratmooreportsdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation