njrat | a7ae40544682a27bb1837c0c5d99f417bb4b8e8036e851529fe49a3d507a570b | Triage

Resubmissions

28/03/2025, 17:18

250328-vvcalayybz 10

28/03/2025, 17:17

250328-vtq3csyyax 10

Sharing

General

Target

babv.exe
Size

29KB
Sample

250328-vtq3csyyax
MD5

85e61aaafe402f7a04e793a53288a072
SHA1

e8d088224025f54c58fa11e8b9835fa7dfd3b9ff
SHA256

a7ae40544682a27bb1837c0c5d99f417bb4b8e8036e851529fe49a3d507a570b
SHA512

cbfd7413fa3373e4c947c35b9605c1dade7159de0990f0961eef2bc4e2dc5e06b2e8cef974f9ada76951732a74d715c84d22e58c7dd1a841eab0e3096cc36511
SSDEEP

384:tBs/hl7b1/JEI+GPWrb5hFEaemqD6CLeQTGBsbh0w4wlAokw9OhgOL1vYRGOZz/L:t47bXEI+GevhEsqdLe3BKh0p29SgR5d

Score

10^/10

njrat hacked credential_access defense_evasion discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

195.88.218.126:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Targets

- Target
  
  babv.exe
- Size
  
  29KB
- MD5
  
  85e61aaafe402f7a04e793a53288a072
- SHA1
  
  e8d088224025f54c58fa11e8b9835fa7dfd3b9ff
- SHA256
  
  a7ae40544682a27bb1837c0c5d99f417bb4b8e8036e851529fe49a3d507a570b
- SHA512
  
  cbfd7413fa3373e4c947c35b9605c1dade7159de0990f0961eef2bc4e2dc5e06b2e8cef974f9ada76951732a74d715c84d22e58c7dd1a841eab0e3096cc36511
- SSDEEP
  
  384:tBs/hl7b1/JEI+GPWrb5hFEaemqD6CLeQTGBsbh0w4wlAokw9OhgOL1vYRGOZz/L:t47bXEI+GevhEsqdLe3BKh0p29SgR5d
Score

10^/10

njrat hacked defense_evasion discovery trojan credential_access persistence privilege_escalation spyware stealer
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddefense_evasiondiscoverytrojan

behavioral2

credential_accessdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealer

behavioral3

njrathackedcredential_accessdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealertrojan

behavioral4

credential_accessdefense_evasiondiscoverypersistenceprivilege_escalationspywarestealer