njrat | ae14ddfa9d6a02d17a44cac525f1bb524ecd1d3241c2c1604122bd762f791ed6 | Triage

Sharing

General

Target

ae14ddfa9d6a02d17a44cac525f1bb524ecd1d3241c2c1604122bd762f791ed6
Size

93KB
Sample

250208-djtbas1pd1
MD5

37e7cdd750ac364b0289287497294d10
SHA1

086eb7a4ddd07bf21db1e125392e29de272b2bbf
SHA256

ae14ddfa9d6a02d17a44cac525f1bb524ecd1d3241c2c1604122bd762f791ed6
SHA512

41fc25c5f041e5f41b07bef8aa6cc604c077fb9b7d042f3e494530ccf4ecdaab241efe4bfd69dd7260e6e8278d23241bf38e1def53d6294fddeb53eaa32fb0b9
SSDEEP

768:uY3EV530YTXspgM0m2zGjpyDtdXWuDtXYLWhyXxrjEtCdnl2pi1Rz4Rk3SsGdpI3:+VZ0AA0mT1mrWnL5jEwzGi1dDuDIgS

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5513

Mutex

b7ee64dfceb91cd38897f066dbb39a91

Attributes

reg_key
b7ee64dfceb91cd38897f066dbb39a91
splitter
|'|'|

Targets

- Target
  
  ae14ddfa9d6a02d17a44cac525f1bb524ecd1d3241c2c1604122bd762f791ed6
- Size
  
  93KB
- MD5
  
  37e7cdd750ac364b0289287497294d10
- SHA1
  
  086eb7a4ddd07bf21db1e125392e29de272b2bbf
- SHA256
  
  ae14ddfa9d6a02d17a44cac525f1bb524ecd1d3241c2c1604122bd762f791ed6
- SHA512
  
  41fc25c5f041e5f41b07bef8aa6cc604c077fb9b7d042f3e494530ccf4ecdaab241efe4bfd69dd7260e6e8278d23241bf38e1def53d6294fddeb53eaa32fb0b9
- SSDEEP
  
  768:uY3EV530YTXspgM0m2zGjpyDtdXWuDtXYLWhyXxrjEtCdnl2pi1Rz4Rk3SsGdpI3:+VZ0AA0mT1mrWnL5jEwzGi1dDuDIgS
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

defense_evasiondiscoverypersistenceprivilege_escalation