njrat | 56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1 | Triage

Sharing

General

Target

mod.exe
Size

93KB
Sample

250121-h6avpasnev
MD5

e9987ac76debe4d7c754f30cec95d618
SHA1

7678e6011456d26f579c7dcdd238ff651cfa4edd
SHA256

56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1
SHA512

919003b30226a8cc81540f652ae51301641325516a5d9bbba140b293b3b97141fbd9274a2f1e942b75e618f57d6e02799e488b36f2cdcbc35f48cc9cc5594771
SSDEEP

1536:GYqUZFRPmGvMzLsvOnjEwzGi1dDvDogS:GYRRPmGvMzIvOMi1dXR

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

2.tcp.eu.ngrok.io:13417

Mutex

a7048b533c07e8a45edf75a414a0b3cd

Attributes

reg_key
a7048b533c07e8a45edf75a414a0b3cd
splitter
|'|'|

Targets

- Target
  
  mod.exe
- Size
  
  93KB
- MD5
  
  e9987ac76debe4d7c754f30cec95d618
- SHA1
  
  7678e6011456d26f579c7dcdd238ff651cfa4edd
- SHA256
  
  56510920355a5531d174cb55ebe86f4b0d85c748d0e15dd78849a29f0f3763d1
- SHA512
  
  919003b30226a8cc81540f652ae51301641325516a5d9bbba140b293b3b97141fbd9274a2f1e942b75e618f57d6e02799e488b36f2cdcbc35f48cc9cc5594771
- SSDEEP
  
  1536:GYqUZFRPmGvMzLsvOnjEwzGi1dDvDogS:GYRRPmGvMzIvOMi1dXR
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

defense_evasiondiscoverypersistenceprivilege_escalation