njrat | b40994ebf386e60512bb433bd2d59505dbe20c985a04772eb6c4bf65d2511e3a | Triage

Sharing

General

Target

DisableWDv1.bat
Size

872B
Sample

250108-1txg2avnhs
MD5

7e36cba08cf2f7556651430989871ed3
SHA1

77cdb81c4081e6f3e3dd295738e6b0f128e414d9
SHA256

b40994ebf386e60512bb433bd2d59505dbe20c985a04772eb6c4bf65d2511e3a
SHA512

4cb8cae10769147c6e957d6c185520fd2663a87e55c1f332219cde1b877f915b29b278700d31d676276eb2d34f11aa1b1a34d5fb37cf47c8511bc00058deb924

Score

10^/10

njrat hacked discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/pebiko70/test/main/Server.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

financial-amanda.gl.at.ply.gg:47287

Mutex

023b6c1e71ec3df384e0804152feb1fe

Attributes

reg_key
023b6c1e71ec3df384e0804152feb1fe
splitter
|'|'|

Targets

- Target
  
  DisableWDv1.bat
- Size
  
  872B
- MD5
  
  7e36cba08cf2f7556651430989871ed3
- SHA1
  
  77cdb81c4081e6f3e3dd295738e6b0f128e414d9
- SHA256
  
  b40994ebf386e60512bb433bd2d59505dbe20c985a04772eb6c4bf65d2511e3a
- SHA512
  
  4cb8cae10769147c6e957d6c185520fd2663a87e55c1f332219cde1b877f915b29b278700d31d676276eb2d34f11aa1b1a34d5fb37cf47c8511bc00058deb924
Score

10^/10

execution njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njrathackeddiscoveryevasionexecutionpersistenceprivilege_escalationtrojan