njrat | bdfb9bc4ada7e0f8ad5a38dd25427358c07faf7e2b1eb5094ffd5d6c678c3b9e | Triage

Sharing

General

Target

rt.exe
Size

37KB
Sample

250304-r796lssxhw
MD5

71f33744ecc3c8081c3aace847093b11
SHA1

195bffaacc78ae7413ff8e171d9b2787d4642cc0
SHA256

bdfb9bc4ada7e0f8ad5a38dd25427358c07faf7e2b1eb5094ffd5d6c678c3b9e
SHA512

d9cd1c8c6c91d6bc37af0589aaaee85708d23bb47386968b97cd4fdf526fde4441404b9c2d28f271589f140f2db2ecf1dbe98a0f374abdff2d727060ffc7c6ad
SSDEEP

384:eIoMiLzBndznNCyMGm36ePb9cGcPdhrAF+rMRTyN/0L+EcoinblneHQM3epzXNNY:FiRNRMGm33JVc1hrM+rMRa8Nubqt

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

acer.tail843d69.ts.net:8080

Mutex

acda0b86727107ee4a9c230d7ddde1ae

Attributes

reg_key
acda0b86727107ee4a9c230d7ddde1ae
splitter
|'|'|

Targets

- Target
  
  rt.exe
- Size
  
  37KB
- MD5
  
  71f33744ecc3c8081c3aace847093b11
- SHA1
  
  195bffaacc78ae7413ff8e171d9b2787d4642cc0
- SHA256
  
  bdfb9bc4ada7e0f8ad5a38dd25427358c07faf7e2b1eb5094ffd5d6c678c3b9e
- SHA512
  
  d9cd1c8c6c91d6bc37af0589aaaee85708d23bb47386968b97cd4fdf526fde4441404b9c2d28f271589f140f2db2ecf1dbe98a0f374abdff2d727060ffc7c6ad
- SSDEEP
  
  384:eIoMiLzBndznNCyMGm36ePb9cGcPdhrAF+rMRTyN/0L+EcoinblneHQM3epzXNNY:FiRNRMGm33JVc1hrM+rMRa8Nubqt
Score

8^/10

defense_evasion discovery persistence privilege_escalation
- Modifies Windows Firewall
  defense_evasion
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoverypersistenceprivilege_escalation