njrat | 7da34ade939a6a7a8d39eeca18a3ed6ad3d906f51d1ee9d65c2e3b9fce507cff | Triage

Sharing

General

Target

CHEAT.exe
Size

93KB
Sample

250109-r24rmsvjam
MD5

49f3ad1aad41b40d4ff259eb6a2feb89
SHA1

9b7a8d9e2b3e8e4fd30a085e50b43224f8bd10ee
SHA256

7da34ade939a6a7a8d39eeca18a3ed6ad3d906f51d1ee9d65c2e3b9fce507cff
SHA512

96817c7fe37886fa10a505a4833723a9f7e4da4ccd2af77ec0e65ccce7c6b688ec18ef3e6e703247269f0af4a652b0e0c098e517a62586fb256b3c9b85220ece
SSDEEP

1536:0UwC+xhUa9urgOBPRNvM4jEwzGi1dDLsD/gS:0UmUa9urgObdGi1dWY

Score

10^/10

njrat roblecks discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

roblecks

C2

hakim32.ddns.net:2000

sat-triumph.gl.at.ply.gg:1108

Mutex

64b6edc267902dd8651bee815ed1ce0c

Attributes

reg_key
64b6edc267902dd8651bee815ed1ce0c
splitter
|'|'|

Targets

- Target
  
  CHEAT.exe
- Size
  
  93KB
- MD5
  
  49f3ad1aad41b40d4ff259eb6a2feb89
- SHA1
  
  9b7a8d9e2b3e8e4fd30a085e50b43224f8bd10ee
- SHA256
  
  7da34ade939a6a7a8d39eeca18a3ed6ad3d906f51d1ee9d65c2e3b9fce507cff
- SHA512
  
  96817c7fe37886fa10a505a4833723a9f7e4da4ccd2af77ec0e65ccce7c6b688ec18ef3e6e703247269f0af4a652b0e0c098e517a62586fb256b3c9b85220ece
- SSDEEP
  
  1536:0UwC+xhUa9urgOBPRNvM4jEwzGi1dDLsD/gS:0UmUa9urgObdGi1dWY
Score

10^/10

njrat roblecks discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratroblecksdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation