njrat | 4797fdc9fb7220c98d14a2b5f6e96482dced4ab87626b167548a5e299e902b23 | Triage

Sharing

General

Target

Lammer.exe
Size

23KB
Sample

250122-sxdv4atpdk
MD5

cb0624ab1305a34c535bf15fd4406bd3
SHA1

8f54f9ffa00236c6e5ae0fb78c6a2176b9bd0e9d
SHA256

4797fdc9fb7220c98d14a2b5f6e96482dced4ab87626b167548a5e299e902b23
SHA512

8abd776e50c0be4e8375e3c4d78ebece3aedc93c74d895d2dc829dd3dfddb0388bd2a64185066654d094250c3245ddbebe36082c5d698f01893579e690e43e69
SSDEEP

384:nYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZsS:wwWkti/aeRpcnuE

Score

10^/10

njrat lammer defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

station-gps.gl.at.ply.gg:26933

Mutex

6fe32c3cda07f1e8b91e22a447ac35bd

Attributes

reg_key
6fe32c3cda07f1e8b91e22a447ac35bd
splitter
|'|'|

Targets

- Target
  
  Lammer.exe
- Size
  
  23KB
- MD5
  
  cb0624ab1305a34c535bf15fd4406bd3
- SHA1
  
  8f54f9ffa00236c6e5ae0fb78c6a2176b9bd0e9d
- SHA256
  
  4797fdc9fb7220c98d14a2b5f6e96482dced4ab87626b167548a5e299e902b23
- SHA512
  
  8abd776e50c0be4e8375e3c4d78ebece3aedc93c74d895d2dc829dd3dfddb0388bd2a64185066654d094250c3245ddbebe36082c5d698f01893579e690e43e69
- SSDEEP
  
  384:nYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZsS:wwWkti/aeRpcnuE
Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan