njrat | 6dfe16f82116f1537efcac4f015247d28339062bcbaa7fc75c9486caa76a9d0d | Triage

Sharing

General

Target

6dfe16f82116f1537efcac4f015247d28339062bcbaa7fc75c9486caa76a9d0d.exe
Size

93KB
Sample

250113-cwpm7stnfr
MD5

1ed0c2e213e674c8a95694c9e19361c7
SHA1

05446e3404b3171264fc344bf4013eb8ea2cf740
SHA256

6dfe16f82116f1537efcac4f015247d28339062bcbaa7fc75c9486caa76a9d0d
SHA512

381fd14b550674d0214d75d203264947078d874afa91122bfad5fb96c3a523fddf1dccd6c69e46c6590ca1ab9025a647e253188e7b9927f0baab8bb199c1d9c7
SSDEEP

768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS

Score

10^/10

njrat debil discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

debil

C2

hakim32.ddns.net:2000

178.215.236.227:4411

Mutex

364d88128926b2e822553333b20c197f

Attributes

reg_key
364d88128926b2e822553333b20c197f
splitter
|'|'|

Targets

- Target
  
  6dfe16f82116f1537efcac4f015247d28339062bcbaa7fc75c9486caa76a9d0d.exe
- Size
  
  93KB
- MD5
  
  1ed0c2e213e674c8a95694c9e19361c7
- SHA1
  
  05446e3404b3171264fc344bf4013eb8ea2cf740
- SHA256
  
  6dfe16f82116f1537efcac4f015247d28339062bcbaa7fc75c9486caa76a9d0d
- SHA512
  
  381fd14b550674d0214d75d203264947078d874afa91122bfad5fb96c3a523fddf1dccd6c69e46c6590ca1ab9025a647e253188e7b9927f0baab8bb199c1d9c7
- SSDEEP
  
  768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
Score

10^/10

njrat debil discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratdebildiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation