njrat | 9f4bf59a47155bbab62e0f5ab2e9a9eb4d734a151fd379357bb7096b36494e17 | Triage

Sharing

General

Target

njRAT v0.7d Green Edition.7z
Size

1.6MB
Sample

250209-sr9qksvndm
MD5

d3e6fcd5df337cbdd82e20ec733974c6
SHA1

cdfe616636aa7bbfde3fe213e23adf86ee630907
SHA256

9f4bf59a47155bbab62e0f5ab2e9a9eb4d734a151fd379357bb7096b36494e17
SHA512

f9c1273527d7d5cd40b32c9b554d35d7963ad634700abd4cbe8b45a0e1e13feec5b685cd6dbbb75b1eea1caf27cdf6c5054d3fff3a65ea6686be20de3abee84e
SSDEEP

49152:p2hBKynG7aq/lhMSO6fCOCX+W3au6TSR1:p2DKyG//lySz6f31

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

fedf8177701c2b8eba54e8334d5decb3

Attributes

reg_key
fedf8177701c2b8eba54e8334d5decb3
splitter
|'|'|

Targets

- Target
  
  njRAT v0.7d Green Edition.7z
- Size
  
  1.6MB
- MD5
  
  d3e6fcd5df337cbdd82e20ec733974c6
- SHA1
  
  cdfe616636aa7bbfde3fe213e23adf86ee630907
- SHA256
  
  9f4bf59a47155bbab62e0f5ab2e9a9eb4d734a151fd379357bb7096b36494e17
- SHA512
  
  f9c1273527d7d5cd40b32c9b554d35d7963ad634700abd4cbe8b45a0e1e13feec5b685cd6dbbb75b1eea1caf27cdf6c5054d3fff3a65ea6686be20de3abee84e
- SSDEEP
  
  49152:p2hBKynG7aq/lhMSO6fCOCX+W3au6TSR1:p2DKyG//lySz6f31
Score

10^/10

discovery njrat hacked defense_evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan