njrat | db27bc172a5de048b3514746a8d78bfda52828ac10bf929fc89839b2cdc9deab | Triage

Sharing

General

Target

Lammer.exe
Size

23KB
Sample

250122-szsr2asqfz
MD5

8ef1c362e7a42893a331a657d021d665
SHA1

fdfe06f05c2a51ef8968ddc1d9a7595d694c93f8
SHA256

db27bc172a5de048b3514746a8d78bfda52828ac10bf929fc89839b2cdc9deab
SHA512

978e8ea7504b32f1d4f18a34f7822c60593ea5bda821cd63d77b7e2e9b13f4fabfc5f89ec681cbcf88669138b2936394761e4da58e223d80c3948e28148ce299
SSDEEP

384:hYmdk8XvCJrQLdRGSiEYH7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZFP:WwWktitaeRpcnuS

Score

10^/10

njrat lammer defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

station-gps.gl.at.ply.gg:26933

Mutex

ded5a8703334377d83da00a864706211

Attributes

reg_key
ded5a8703334377d83da00a864706211
splitter
|'|'|

Targets

- Target
  
  Lammer.exe
- Size
  
  23KB
- MD5
  
  8ef1c362e7a42893a331a657d021d665
- SHA1
  
  fdfe06f05c2a51ef8968ddc1d9a7595d694c93f8
- SHA256
  
  db27bc172a5de048b3514746a8d78bfda52828ac10bf929fc89839b2cdc9deab
- SHA512
  
  978e8ea7504b32f1d4f18a34f7822c60593ea5bda821cd63d77b7e2e9b13f4fabfc5f89ec681cbcf88669138b2936394761e4da58e223d80c3948e28148ce299
- SSDEEP
  
  384:hYmdk8XvCJrQLdRGSiEYH7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZFP:WwWktitaeRpcnuS
Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan