njrat | 4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b | Triage

Sharing

General

Target

4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b
Size

564KB
Sample

250207-z6e8vazkar
MD5

c709aa33c0165cebde24123555769a7a
SHA1

ad4813cd0461fbdbc7265dc7880e22978ffc7b54
SHA256

4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b
SHA512

ccd0ffc52ed12a4f2e74a0aef982dbd67b271412102e2373e07f24142560e0a0006d60166b1ba789bbb8745067c2d50e3e822f3355bdff2c52d22444151ab7eb
SSDEEP

12288:6yB0aI78IV40HioBu3yCeOr0rS6KsXr7ieWCU:BB07EyCTr0rFf7aC

Score

10^/10

njrat hacked defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

cpanel.hackcrack.io:2222

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Targets

- Target
  
  4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b
- Size
  
  564KB
- MD5
  
  c709aa33c0165cebde24123555769a7a
- SHA1
  
  ad4813cd0461fbdbc7265dc7880e22978ffc7b54
- SHA256
  
  4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b
- SHA512
  
  ccd0ffc52ed12a4f2e74a0aef982dbd67b271412102e2373e07f24142560e0a0006d60166b1ba789bbb8745067c2d50e3e822f3355bdff2c52d22444151ab7eb
- SSDEEP
  
  12288:6yB0aI78IV40HioBu3yCeOr0rS6KsXr7ieWCU:BB07EyCTr0rFf7aC
Score

10^/10

njrat hacked defense_evasion persistence privilege_escalation trojan discovery execution
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Hide Artifacts

Hidden Window

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan