njrat | 00d1bc82bc637355be482a6cd2693df6710ba30868260b88dd3275cdd8696b51 | Triage

Sharing

General

Target

00d1bc82bc637355be482a6cd2693df6710ba30868260b88dd3275cdd8696b51N.exe
Size

115KB
Sample

250202-b5bbhazlat
MD5

ae9bf5e79a480edb4bdabeef0a075810
SHA1

3e785040bc7ed878d818322581061bd20934b84c
SHA256

00d1bc82bc637355be482a6cd2693df6710ba30868260b88dd3275cdd8696b51
SHA512

1fa68d37a3d258bf4cc9bed0144492e501e12573616e22a8b4b36ef31abf1058ef33480264833728a371963d44f7c7f406eef22d102636687965cf416a0ba837
SSDEEP

3072:lHZ28rd2yNqfdcO6L0UQnICMce3SdJFhsz0HMib4:l1dZnQIEei3Fhsz0M

Score

10^/10

njrat hacked defense_evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

agdsagds.kro.kr:1111

Mutex

7bc5d4676f29fca15e68905e11aefcf9

Attributes

reg_key
7bc5d4676f29fca15e68905e11aefcf9
splitter
|'|'|

Targets

- Target
  
  00d1bc82bc637355be482a6cd2693df6710ba30868260b88dd3275cdd8696b51N.exe
- Size
  
  115KB
- MD5
  
  ae9bf5e79a480edb4bdabeef0a075810
- SHA1
  
  3e785040bc7ed878d818322581061bd20934b84c
- SHA256
  
  00d1bc82bc637355be482a6cd2693df6710ba30868260b88dd3275cdd8696b51
- SHA512
  
  1fa68d37a3d258bf4cc9bed0144492e501e12573616e22a8b4b36ef31abf1058ef33480264833728a371963d44f7c7f406eef22d102636687965cf416a0ba837
- SSDEEP
  
  3072:lHZ28rd2yNqfdcO6L0UQnICMce3SdJFhsz0HMib4:l1dZnQIEei3Fhsz0M
Score

10^/10

njrat hacked defense_evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddefense_evasionpersistenceprivilege_escalationtrojan