njrat | 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3 | Triage

Sharing

General

Target

621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3
Size

506KB
Sample

250118-njlxbsspgr
MD5

cea8687c16ca4de232b21a53308714d3
SHA1

88d8fbf3e679fa2c081e79d9b561d31b8a359538
SHA256

621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3
SHA512

e09aedf77f7eedd2e49825bda4ac6e966c301135419d857df2e2c86d78c82c48d09609ed6b6937a5f4582276395bd22f8d51fd1ab3e84e287edac207e8942b3f
SSDEEP

12288:/LMEalqxXblqoRX5qbfphLxaOSoSDi7mbsG46w:zqaXNabfphLxaVpDiiQ9

Score

10^/10

njrat lammer lammer1 defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

ie-serving.gl.at.ply.gg:18976

Mutex

d386661cfe8f30c3a692533641b57806

Attributes

reg_key
d386661cfe8f30c3a692533641b57806
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer1

C2

ie-serving.gl.at.ply.gg:18976

Mutex

82f896a33c031e162176bdb24630461b

Attributes

reg_key
82f896a33c031e162176bdb24630461b
splitter
|'|'|

Targets

- Target
  
  621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3
- Size
  
  506KB
- MD5
  
  cea8687c16ca4de232b21a53308714d3
- SHA1
  
  88d8fbf3e679fa2c081e79d9b561d31b8a359538
- SHA256
  
  621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3
- SHA512
  
  e09aedf77f7eedd2e49825bda4ac6e966c301135419d857df2e2c86d78c82c48d09609ed6b6937a5f4582276395bd22f8d51fd1ab3e84e287edac207e8942b3f
- SSDEEP
  
  12288:/LMEalqxXblqoRX5qbfphLxaOSoSDi7mbsG46w:zqaXNabfphLxaVpDiiQ9
Score

10^/10

njrat lammer lammer1 defense_evasion discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratlammerlammer1defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratlammerlammer1defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan