njrat | 05de7f808bcbd9c8c9bc3620b3bb36faa7f9d1a956223f0ac2579792addb9908 | Triage

Sharing

General

Target

05de7f808bcbd9c8c9bc3620b3bb36faa7f9d1a956223f0ac2579792addb9908.exe
Size

115KB
Sample

250111-ck56tayldt
MD5

90c920a5d1afaebeca9a97a3787928b9
SHA1

5bb6c2720cfb1b1792914ac40c24206920e0f5c9
SHA256

05de7f808bcbd9c8c9bc3620b3bb36faa7f9d1a956223f0ac2579792addb9908
SHA512

db8dc3792e3ca6926790fdd778f92626f93c27699bd108759a6fe20ec79e02e17c8492c592e5aa1ae54bbbcd11b9c3d8d5a30b772b930b488f9eaa62f903e5fd
SSDEEP

1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73RmMo:w5eznsjsguGDFqGx8egoxmO3rRm5

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Targets

- Target
  
  05de7f808bcbd9c8c9bc3620b3bb36faa7f9d1a956223f0ac2579792addb9908.exe
- Size
  
  115KB
- MD5
  
  90c920a5d1afaebeca9a97a3787928b9
- SHA1
  
  5bb6c2720cfb1b1792914ac40c24206920e0f5c9
- SHA256
  
  05de7f808bcbd9c8c9bc3620b3bb36faa7f9d1a956223f0ac2579792addb9908
- SHA512
  
  db8dc3792e3ca6926790fdd778f92626f93c27699bd108759a6fe20ec79e02e17c8492c592e5aa1ae54bbbcd11b9c3d8d5a30b772b930b488f9eaa62f903e5fd
- SSDEEP
  
  1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73RmMo:w5eznsjsguGDFqGx8egoxmO3rRm5
Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan