njrat | bc29f3e495e73cab8b5cc4b63d0048109fe3f33f3d209939a279053d4091448e | Triage

Sharing

General

Target

DisableWDv1.bat
Size

664B
Sample

250108-2g3nysyngn
MD5

d5ae652c3c0c4ed6269743dbfb5ce953
SHA1

43a8888f001b9b7e2629746848f2a1601acb60f2
SHA256

bc29f3e495e73cab8b5cc4b63d0048109fe3f33f3d209939a279053d4091448e
SHA512

2d05a38a154adfba0b2e6d0ff38a6c3e21b6f0ec840f5618bee6b06836aef255cf98d4ad578cedf4a49955fa1cb0c4d3255c028a47fd83dcc6af1e20b62e9499

Score

10^/10

njrat hacked discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/pebiko70/test/main/Server.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

financial-amanda.gl.at.ply.gg:47287

Mutex

023b6c1e71ec3df384e0804152feb1fe

Attributes

reg_key
023b6c1e71ec3df384e0804152feb1fe
splitter
|'|'|

Targets

- Target
  
  DisableWDv1.bat
- Size
  
  664B
- MD5
  
  d5ae652c3c0c4ed6269743dbfb5ce953
- SHA1
  
  43a8888f001b9b7e2629746848f2a1601acb60f2
- SHA256
  
  bc29f3e495e73cab8b5cc4b63d0048109fe3f33f3d209939a279053d4091448e
- SHA512
  
  2d05a38a154adfba0b2e6d0ff38a6c3e21b6f0ec840f5618bee6b06836aef255cf98d4ad578cedf4a49955fa1cb0c4d3255c028a47fd83dcc6af1e20b62e9499
Score

10^/10

njrat hacked discovery evasion execution persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddiscoveryevasionexecutionpersistenceprivilege_escalationtrojan