njrat | 8e1a79e5b3fb5504bf0ff03e5afee9b0e583c7c12e6948f9d2ef009fdaf7f411 | Triage

Sharing

General

Target

8e1a79e5b3fb5504bf0ff03e5afee9b0e583c7c12e6948f9d2ef009fdaf7f411N.exe
Size

863KB
Sample

250208-nmvnmsslct
MD5

eabac3adb5241da6df09c97b263811d0
SHA1

62a415bb864a72640160925d902e59a19f6a0b29
SHA256

8e1a79e5b3fb5504bf0ff03e5afee9b0e583c7c12e6948f9d2ef009fdaf7f411
SHA512

e466b1d065460c1adee33d2e3524fc2676784dcbc0383d227e7b4bbcd07805ee34fe0963b31e5f6b93b5406972bae003fe57b385ed090d32fbbd6d6c8b80f201
SSDEEP

12288:W4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgav7RyFq9MmCS:W4lavt0LkLL9IMixoEgeajRyFq9MmCS

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

279f6960ed84a752570aca7fb2dc1552

Attributes

reg_key
279f6960ed84a752570aca7fb2dc1552
splitter
|'|'|

Targets

- Target
  
  8e1a79e5b3fb5504bf0ff03e5afee9b0e583c7c12e6948f9d2ef009fdaf7f411N.exe
- Size
  
  863KB
- MD5
  
  eabac3adb5241da6df09c97b263811d0
- SHA1
  
  62a415bb864a72640160925d902e59a19f6a0b29
- SHA256
  
  8e1a79e5b3fb5504bf0ff03e5afee9b0e583c7c12e6948f9d2ef009fdaf7f411
- SHA512
  
  e466b1d065460c1adee33d2e3524fc2676784dcbc0383d227e7b4bbcd07805ee34fe0963b31e5f6b93b5406972bae003fe57b385ed090d32fbbd6d6c8b80f201
- SSDEEP
  
  12288:W4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgav7RyFq9MmCS:W4lavt0LkLL9IMixoEgeajRyFq9MmCS
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- UAC bypass
  defense_evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan