njrat | 3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8 | Triage

Sharing

General

Target

3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8
Size

37KB
Sample

250225-sbq9as1pv9
MD5

aa83d654a4475f46e61c95fbd89ee18f
SHA1

423100a56f74e572502b1be8046f2e26abd9244e
SHA256

3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8
SHA512

61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798
SSDEEP

384:4CdsoixJvl7OHg1WykrqSTX3y8RsIDoJrAF+rMRTyN/0L+EcoinblneHQM3epzXR:Rd+R1NkrqSTSasIurM+rMRa8Nuq6t

Score

10^/10

njrat hacked_notfully defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed_NotFully

C2

moneroman.ddns.net:1194

Mutex

5f1c1f4a8f4a8082788e31e499b05f88

Attributes

reg_key
5f1c1f4a8f4a8082788e31e499b05f88
splitter
|'|'|

Targets

- Target
  
  3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8
- Size
  
  37KB
- MD5
  
  aa83d654a4475f46e61c95fbd89ee18f
- SHA1
  
  423100a56f74e572502b1be8046f2e26abd9244e
- SHA256
  
  3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8
- SHA512
  
  61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798
- SSDEEP
  
  384:4CdsoixJvl7OHg1WykrqSTX3y8RsIDoJrAF+rMRTyN/0L+EcoinblneHQM3epzXR:Rd+R1NkrqSTSasIurM+rMRa8Nuq6t
Score

10^/10

njrat hacked_notfully defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

hacked_notfullynjrat

behavioral1

njrathacked_notfullydefense_evasiondiscoverypersistenceprivilege_escalationtrojan

behavioral2

defense_evasiondiscoverypersistenceprivilege_escalation