njrat | 15e516db2e5992ec2ab10969b8b0fef5f86d37f3720cb3a738011fa3ca56a622 | Triage

Sharing

General

Target

Payload.exe
Size

54KB
Sample

250322-3a76jaxjz3
MD5

81e043b5ee1e8931c5ac4d6f79457590
SHA1

616f70b905d99605586de3fa2997135812f9faa1
SHA256

15e516db2e5992ec2ab10969b8b0fef5f86d37f3720cb3a738011fa3ca56a622
SHA512

e4933e3897f65a54b25f8e97084ab045b96b6645cb3a3ccdab80c0fd29dffdbf5f53a84b4a62c74d5190a3515b01226843b1f18da8f8768e667f7e97a9ee3e64
SSDEEP

1536:r3EVGt9gmgpDGxJSMGFWQcGD8X3xIEpm3g:QVGtGmCGxJSMGFWQnD8X3xIEpm

Score

10^/10

njrat victim bootkit defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

associates-studio.gl.at.ply.gg:55946

Mutex

63c41129dcdd177a39b9286624eb2f23

Attributes

reg_key
63c41129dcdd177a39b9286624eb2f23
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  Payload.exe
- Size
  
  54KB
- MD5
  
  81e043b5ee1e8931c5ac4d6f79457590
- SHA1
  
  616f70b905d99605586de3fa2997135812f9faa1
- SHA256
  
  15e516db2e5992ec2ab10969b8b0fef5f86d37f3720cb3a738011fa3ca56a622
- SHA512
  
  e4933e3897f65a54b25f8e97084ab045b96b6645cb3a3ccdab80c0fd29dffdbf5f53a84b4a62c74d5190a3515b01226843b1f18da8f8768e667f7e97a9ee3e64
- SSDEEP
  
  1536:r3EVGt9gmgpDGxJSMGFWQcGD8X3xIEpm3g:QVGtGmCGxJSMGFWQnD8X3xIEpm
Score

10^/10

njrat bootkit defense_evasion discovery execution persistence trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Pre-OS Boot

Bootkit

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

njratbootkitdefense_evasiondiscoveryexecutionpersistencetrojan