njrat | 2e070cea455fa1e5c7c0e85c1cd07b9abc3114a3335efbeedc755088f584a5de | Triage

Sharing

General

Target

2e070cea455fa1e5c7c0e85c1cd07b9abc3114a3335efbeedc755088f584a5de.exe
Size

117KB
Sample

250122-vkh1dsxkfk
MD5

4072d20b7d87e7535996498f65c111fc
SHA1

cec2f3d04fdeceb0ef5f1d40e60fe9f659047ce1
SHA256

2e070cea455fa1e5c7c0e85c1cd07b9abc3114a3335efbeedc755088f584a5de
SHA512

7f591b4d930530a9058995cc70323ed3d86f595bd4ae9fc097662b79fabb69abacb2bb41c9fc7d3060ffe52bff1e38ce166be3d6d0bdf1ac70593fa2587e34d4
SSDEEP

1536:Tl+qMz7zRwM73ifqkWThNgktlw9C2hBjsVbR1YLOl+qMz7zRwM7T:Tb8iYHkyNgzC2vLOb8iYT

Score

10^/10

njrat sunplus defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

sunplus

C2

arabick.duckdns.org:3329

Mutex

4a5906bc047587dfba7c89a4d5cd271a

Attributes

reg_key
4a5906bc047587dfba7c89a4d5cd271a
splitter
|'|'|

Targets

- Target
  
  2e070cea455fa1e5c7c0e85c1cd07b9abc3114a3335efbeedc755088f584a5de.exe
- Size
  
  117KB
- MD5
  
  4072d20b7d87e7535996498f65c111fc
- SHA1
  
  cec2f3d04fdeceb0ef5f1d40e60fe9f659047ce1
- SHA256
  
  2e070cea455fa1e5c7c0e85c1cd07b9abc3114a3335efbeedc755088f584a5de
- SHA512
  
  7f591b4d930530a9058995cc70323ed3d86f595bd4ae9fc097662b79fabb69abacb2bb41c9fc7d3060ffe52bff1e38ce166be3d6d0bdf1ac70593fa2587e34d4
- SSDEEP
  
  1536:Tl+qMz7zRwM73ifqkWThNgktlw9C2hBjsVbR1YLOl+qMz7zRwM7T:Tb8iYHkyNgzC2vLOb8iYT
Score

10^/10

njrat sunplus defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratsunplusdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan