njrat | 481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469 | Triage

Sharing

General

Target

481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
Size

56KB
Sample

250119-pb8a2awqbv
MD5

4b6b9b9078efdea1d767e1bb8076e570
SHA1

2cefdc00441bab34f9026172fc4d19c15059b5c5
SHA256

481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469
SHA512

a38c4d9576e6f15341900a1e75057c0e0cc078ee3b3a8ce529a158d494c3a8067f79ba90f85d8a8d591c497a96130a451395efbafd087fc347e29fbd9b57188d
SSDEEP

1536:XvvqylRHMH/Jtakr8KCxEhDYcEb08+D9V2vPscW:fvVa+krSxuDIvi9+Psb

Score

10^/10

njrat evasion execution persistence privilege_escalation trojan

Malware Config

Targets

- Target
  
  481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469N.exe
- Size
  
  56KB
- MD5
  
  4b6b9b9078efdea1d767e1bb8076e570
- SHA1
  
  2cefdc00441bab34f9026172fc4d19c15059b5c5
- SHA256
  
  481df2d1bb42c75a91ad8a3fe9d1851ba3d05080d3d901101cc994f3040b6469
- SHA512
  
  a38c4d9576e6f15341900a1e75057c0e0cc078ee3b3a8ce529a158d494c3a8067f79ba90f85d8a8d591c497a96130a451395efbafd087fc347e29fbd9b57188d
- SSDEEP
  
  1536:XvvqylRHMH/Jtakr8KCxEhDYcEb08+D9V2vPscW:fvVa+krSxuDIvi9+Psb
Score

10^/10

njrat evasion execution persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

njratevasionexecutionpersistenceprivilege_escalationtrojan