njrat | c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb | Triage

Sharing

General

Target

c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe
Size

93KB
Sample

250122-d3sh4swlhy
MD5

d61b6c8d2031c9c14fd2ca8cac4abbd0
SHA1

232a655eb7c720a90d30f4f51a3aa4fde319be2b
SHA256

c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb
SHA512

4649981329ec72d555af8888b3bc2b6e93d3569c232247f430147aa32b8f907dc7f1e188f3ec32c5a33fa95cf06f8c3719da033959cb1af709ab4e133a2b3e3a
SSDEEP

1536:1emC+xhUa9urgOB9RNvM4jEwzGi1dDlDRgS:1egUa9urgONdGi1dRO

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

2.tcp.eu.ngrok.io:17881

Mutex

a5ecb8dd72f32c83945d9630db93a6c0

Attributes

reg_key
a5ecb8dd72f32c83945d9630db93a6c0
splitter
|'|'|

Targets

- Target
  
  c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb.exe
- Size
  
  93KB
- MD5
  
  d61b6c8d2031c9c14fd2ca8cac4abbd0
- SHA1
  
  232a655eb7c720a90d30f4f51a3aa4fde319be2b
- SHA256
  
  c50c74721a340dfa457152405bb9fcf9bdd725b321510f8eaf2b23c4a68a6abb
- SHA512
  
  4649981329ec72d555af8888b3bc2b6e93d3569c232247f430147aa32b8f907dc7f1e188f3ec32c5a33fa95cf06f8c3719da033959cb1af709ab4e133a2b3e3a
- SSDEEP
  
  1536:1emC+xhUa9urgOB9RNvM4jEwzGi1dDlDRgS:1egUa9urgONdGi1dRO
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

defense_evasiondiscoverypersistenceprivilege_escalation