njrat | c9da3969931b59d99a6b21cfabd2677c6c58b848d0a6b19b8c1a9112a2e61e21 | Triage

Sharing

General

Target

1c8368db627fc2772484d28c8685eb99.exe
Size

6.8MB
Sample

250128-nv55caxmht
MD5

1c8368db627fc2772484d28c8685eb99
SHA1

3850f2b066c1df55c70d63b6d89eb6854fb24df1
SHA256

c9da3969931b59d99a6b21cfabd2677c6c58b848d0a6b19b8c1a9112a2e61e21
SHA512

6e25b79aad59b0ad43ea855ccbeb343dfc51310d9a56ef10dbc6654cff80c2546a87213aed3c09fb524a448aa3d1fc54ae99b9a63933fd3e1ab2c52aee436393
SSDEEP

196608:OJoCz3uizalBzSTIj5JvIe7Vs9oxUDXj8jGphb:YuPzRBIe7VB8T3l

Score

10^/10

njrat -defense_evasion discovery persistence privilege_escalation pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

-

C2

5.tcp.eu.ngrok.io:15938

Mutex

76f76913a3057d2193e27e6377b7ae49

Attributes

reg_key
76f76913a3057d2193e27e6377b7ae49
splitter
|'|'|

Targets

- Target
  
  1c8368db627fc2772484d28c8685eb99.exe
- Size
  
  6.8MB
- MD5
  
  1c8368db627fc2772484d28c8685eb99
- SHA1
  
  3850f2b066c1df55c70d63b6d89eb6854fb24df1
- SHA256
  
  c9da3969931b59d99a6b21cfabd2677c6c58b848d0a6b19b8c1a9112a2e61e21
- SHA512
  
  6e25b79aad59b0ad43ea855ccbeb343dfc51310d9a56ef10dbc6654cff80c2546a87213aed3c09fb524a448aa3d1fc54ae99b9a63933fd3e1ab2c52aee436393
- SSDEEP
  
  196608:OJoCz3uizalBzSTIj5JvIe7Vs9oxUDXj8jGphb:YuPzRBIe7VB8T3l
Score

10^/10

discovery pyinstaller njrat -defense_evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypyinstaller

behavioral2

njrat-defense_evasiondiscoverypersistenceprivilege_escalationpyinstallertrojan