njrat | 50c97cbbbe7f913c96d08ae384b1a4065a6646fa0f51670b00c0a9f2d851416d | Triage

Sharing

General

Target

50c97cbbbe7f913c96d08ae384b1a4065a6646fa0f51670b00c0a9f2d851416d.exe
Size

28KB
Sample

250202-b8fqdszmbz
MD5

d5af61a98bc484c5755ad0d185415301
SHA1

a48e7901189a28ff88c7436ee297dd7293995c63
SHA256

50c97cbbbe7f913c96d08ae384b1a4065a6646fa0f51670b00c0a9f2d851416d
SHA512

6c2622bfe15b736d2f2b86bf23c21b01334b823b05ce821c32f424a5afd67f51322c515fae93606d9ca16799d79ffc9be8dd3e5be7e2c87e9ac71519215f5831
SSDEEP

768:/bNAbS3gEbKmqLWaWViqs2A6F+dMHqfO8nzR4:/5A0gABqLWnViMF3c2

Score

10^/10

njrat a3 defense_evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

A3

C2

supportinformtion.serveirc.com:9699

Mutex

30967b141a634907236835b8c35d7d43

Attributes

reg_key
30967b141a634907236835b8c35d7d43
splitter
|'|'|

Targets

- Target
  
  50c97cbbbe7f913c96d08ae384b1a4065a6646fa0f51670b00c0a9f2d851416d.exe
- Size
  
  28KB
- MD5
  
  d5af61a98bc484c5755ad0d185415301
- SHA1
  
  a48e7901189a28ff88c7436ee297dd7293995c63
- SHA256
  
  50c97cbbbe7f913c96d08ae384b1a4065a6646fa0f51670b00c0a9f2d851416d
- SHA512
  
  6c2622bfe15b736d2f2b86bf23c21b01334b823b05ce821c32f424a5afd67f51322c515fae93606d9ca16799d79ffc9be8dd3e5be7e2c87e9ac71519215f5831
- SSDEEP
  
  768:/bNAbS3gEbKmqLWaWViqs2A6F+dMHqfO8nzR4:/5A0gABqLWnViMF3c2
Score

10^/10

njrat a3 defense_evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrata3defense_evasionpersistenceprivilege_escalationtrojan

behavioral2

njrata3defense_evasionpersistenceprivilege_escalationtrojan