njrat | a1c489cce0663f3ec6b057a16f951d455b04458553803b07dd356ea4e3ccba2f | Triage

Sharing

General

Target

Neverluse (2).zip
Size

11.9MB
Sample

250115-wn8wnasjbr
MD5

4a8ca7f758c5b8429f2c7bbfc6ba33a4
SHA1

f5d238a837c5d9ae2faaae09c01b90abd7a6753d
SHA256

a1c489cce0663f3ec6b057a16f951d455b04458553803b07dd356ea4e3ccba2f
SHA512

726f03f77d77716d56493594a9d59a0e5e2d76cd1434eb2a7d279f35b26f7056b930bf86532b147fbfcefec612c727d04e17f81f5256fb567341bfe205550e32
SSDEEP

196608:Ti+e553UgECAf+VLyHIZKpMKMXKhIIrAH87shgx4G+1yOAvQ1pn0u9I/wvNePM5I:Tewjj+pnawB/1Sg94gNNJX7yZ

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5555

Mutex

181a74d35475c4a2137967893bc3cc88

Attributes

reg_key
181a74d35475c4a2137967893bc3cc88
splitter
|'|'|

Targets

- Target
  
  NL.exe
- Size
  
  93KB
- MD5
  
  f0c234db804898229a7e3bdea180f915
- SHA1
  
  2c61d230f86552e80bf59e6e21546a8dce6f3452
- SHA256
  
  a62ee0552b21391d0e2898786f9ec2473eb21d2e7a69aad9737862835f00f377
- SHA512
  
  e438734c8811875e8efbea1d6a4ec153ae01a666274c0d8d0751fda6175df3b8f09058f1d7627cabd7b84d873ec31e2407a414c38ecce0797d2718d67beff900
- SSDEEP
  
  768:8Y3UbnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3EsGg:gbxOx6baIa9ROj00ljEwzGi1dDcDCgS
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation