njrat | 6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd | Triage

Sharing

General

Target

6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd
Size

93KB
Sample

250119-b5nxla1mhx
MD5

83f90cb80993c51fe93a9f341922a3c8
SHA1

0fb07736f3a7be6f69e17525e32337bd88ff4fd6
SHA256

6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd
SHA512

7600ce9c8e603b2329c2fd98d36143ccb52ff6e11a2679c8cc47b1ce78938c752003c4d482c6fbfe5ad22f5e4594b72f5ed46443e9c2b0b7483116757a529c4f
SSDEEP

768:4Y3TVfhWXxyFcxovUKUJuROprXtWN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3rTYsGdpv:TV5WhIUKcuOJhPhBjEwzGi1dD3gDPgS

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

0.tcp.ngrok.io:19843

Mutex

440cde149834aa0e1531d198ae263f94

Attributes

reg_key
440cde149834aa0e1531d198ae263f94
splitter
|'|'|

Targets

- Target
  
  6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd
- Size
  
  93KB
- MD5
  
  83f90cb80993c51fe93a9f341922a3c8
- SHA1
  
  0fb07736f3a7be6f69e17525e32337bd88ff4fd6
- SHA256
  
  6289a6f437dbe477d4648b112653a1e6de8c191489671d3e2fd51a31946103bd
- SHA512
  
  7600ce9c8e603b2329c2fd98d36143ccb52ff6e11a2679c8cc47b1ce78938c752003c4d482c6fbfe5ad22f5e4594b72f5ed46443e9c2b0b7483116757a529c4f
- SSDEEP
  
  768:4Y3TVfhWXxyFcxovUKUJuROprXtWN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3rTYsGdpv:TV5WhIUKcuOJhPhBjEwzGi1dD3gDPgS
Score

8^/10

discovery evasion persistence privilege_escalation
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation

behavioral2

discoveryevasionpersistenceprivilege_escalation