njrat | 5074c977130c720dfe63b113372dc8a824f314832f007fb0ef9a955e80b3227e | Triage

Sharing

General

Target

5074c977130c720dfe63b113372dc8a824f314832f007fb0ef9a955e80b3227e.exe
Size

23KB
Sample

250112-txj8jsslcr
MD5

6afd95aa91ddadc278caef8a74595d74
SHA1

98c70ac893bd8248625f4c4d89f34aefbadd0110
SHA256

5074c977130c720dfe63b113372dc8a824f314832f007fb0ef9a955e80b3227e
SHA512

a6deca0c50d21b3411567b9502ba813e938e754494a88b7440def04d70bf33b8168a605e18f51fe69efbf4bb4a8aa8c30bac5d6e72d82f7acebfaa102712b3bb
SSDEEP

384:lc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZU/D:mIU0tw3RpcnuND

Score

10^/10

njrat windows discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Windows

C2

phh79b4.localto.net:6732

Mutex

8ca7039ed784ff0b410de529abc3d36d

Attributes

reg_key
8ca7039ed784ff0b410de529abc3d36d
splitter
|'|'|

Targets

- Target
  
  5074c977130c720dfe63b113372dc8a824f314832f007fb0ef9a955e80b3227e.exe
- Size
  
  23KB
- MD5
  
  6afd95aa91ddadc278caef8a74595d74
- SHA1
  
  98c70ac893bd8248625f4c4d89f34aefbadd0110
- SHA256
  
  5074c977130c720dfe63b113372dc8a824f314832f007fb0ef9a955e80b3227e
- SHA512
  
  a6deca0c50d21b3411567b9502ba813e938e754494a88b7440def04d70bf33b8168a605e18f51fe69efbf4bb4a8aa8c30bac5d6e72d82f7acebfaa102712b3bb
- SSDEEP
  
  384:lc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZU/D:mIU0tw3RpcnuND
Score

10^/10

njrat windows discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratwindowsdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan