njrat | 4ce4a034024c108c1ec4c38bc0235f3ab94b5f308199a5c60e3cd706bfb46854 | Triage

Sharing

General

Target

4ce4a034024c108c1ec4c38bc0235f3ab94b5f308199a5c60e3cd706bfb46854
Size

183KB
Sample

250127-14wngsxlby
MD5

0b786d749488d1dbce96ba6d70b81afb
SHA1

73d338f2788538fc3e082c0bcfda073bccb6c304
SHA256

4ce4a034024c108c1ec4c38bc0235f3ab94b5f308199a5c60e3cd706bfb46854
SHA512

a2e6478902481aba53f1cc6bd344c55aefc96d880939d33f8a91731983b329392ef75b7e11886809c5321e3e1176484bdd04e96eebd5f7021ba3a705f0f70585
SSDEEP

3072:kmh7/CUBBSUb4XVkF4HGaBEl6OygXlL2RFQoP7JmKWNFTkEt8QXrQQck+/lFOjzP:kmhbCdM4mMgR2RaKWfj8QXrAlMgM

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

kkttyy.kro.kr:2859

Mutex

d059b6aa76c2da376867aa3188bcd31f

Attributes

reg_key
d059b6aa76c2da376867aa3188bcd31f
splitter
|'|'|

Targets

- Target
  
  4ce4a034024c108c1ec4c38bc0235f3ab94b5f308199a5c60e3cd706bfb46854
- Size
  
  183KB
- MD5
  
  0b786d749488d1dbce96ba6d70b81afb
- SHA1
  
  73d338f2788538fc3e082c0bcfda073bccb6c304
- SHA256
  
  4ce4a034024c108c1ec4c38bc0235f3ab94b5f308199a5c60e3cd706bfb46854
- SHA512
  
  a2e6478902481aba53f1cc6bd344c55aefc96d880939d33f8a91731983b329392ef75b7e11886809c5321e3e1176484bdd04e96eebd5f7021ba3a705f0f70585
- SSDEEP
  
  3072:kmh7/CUBBSUb4XVkF4HGaBEl6OygXlL2RFQoP7JmKWNFTkEt8QXrQQck+/lFOjzP:kmhbCdM4mMgR2RaKWfj8QXrAlMgM
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan