njrat | 7dafea747cea5cfdbef469966acaa7f3943962de6a40f6909cb8f167d612b3f8 | Triage

Sharing

General

Target

7dafea747cea5cfdbef469966acaa7f3943962de6a40f6909cb8f167d612b3f8
Size

999KB
Sample

250127-r5p3natqem
MD5

b20afbf4f8f5abca8b7622279afc86f4
SHA1

9631428b25e7c115c970763cb3362d67acdfad76
SHA256

7dafea747cea5cfdbef469966acaa7f3943962de6a40f6909cb8f167d612b3f8
SHA512

31e16148c8d73956fa4bbf640495b68305f1b6a34c489e4dbd5a73a5dcde0a1c80813aaa2ec2cafeaff2539bde79b5d91eadbd48a5c13a20a80a7bf6f022ffef
SSDEEP

24576:A4lavt0LkLL9IMixoEgeaWp/+hwWq9MmCS:3kwkn9IMHeaWp0PaPCS

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

10.10.10.18:5552

Mutex

54435c35e0b080ff81569515525baf6b

Attributes

reg_key
54435c35e0b080ff81569515525baf6b
splitter
|'|'|

Targets

- Target
  
  7dafea747cea5cfdbef469966acaa7f3943962de6a40f6909cb8f167d612b3f8
- Size
  
  999KB
- MD5
  
  b20afbf4f8f5abca8b7622279afc86f4
- SHA1
  
  9631428b25e7c115c970763cb3362d67acdfad76
- SHA256
  
  7dafea747cea5cfdbef469966acaa7f3943962de6a40f6909cb8f167d612b3f8
- SHA512
  
  31e16148c8d73956fa4bbf640495b68305f1b6a34c489e4dbd5a73a5dcde0a1c80813aaa2ec2cafeaff2539bde79b5d91eadbd48a5c13a20a80a7bf6f022ffef
- SSDEEP
  
  24576:A4lavt0LkLL9IMixoEgeaWp/+hwWq9MmCS:3kwkn9IMHeaWp0PaPCS
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- UAC bypass
  defense_evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan