njrat | 0e798055549a18d74a4c26621e5925883c55a33f2be16cb4b79eeefd40c9dd0c | Triage

Resubmissions

18-01-2021 13:44

210118-tnaye7c7rn 10

17-01-2021 17:18

210117-bjwdekjbns 10

03-01-2021 10:03

210103-jfxpahl1la 10

Sharing

General

Target

7P7DYQVc.exe
Size

23KB
Sample

210103-jfxpahl1la
MD5

d350b0d6462773a8f98d60ec7ca993fe
SHA1

a8eced99a403074fd6be13a579df9a35acb7acf9
SHA256

0e798055549a18d74a4c26621e5925883c55a33f2be16cb4b79eeefd40c9dd0c
SHA512

4105c6a027a7e9b89f08cc635ea6cefab8f3c270b9ddb7915ef0232084cad96a1df3b328f97be653f7d5ccaa457396450d2189269ddf9379b24c5b182ca9e567

Score

10^/10

njrat bootkit evasion persistence ransomware trojan

Malware Config

Targets

- Target
  
  7P7DYQVc.exe
- Size
  
  23KB
- MD5
  
  d350b0d6462773a8f98d60ec7ca993fe
- SHA1
  
  a8eced99a403074fd6be13a579df9a35acb7acf9
- SHA256
  
  0e798055549a18d74a4c26621e5925883c55a33f2be16cb4b79eeefd40c9dd0c
- SHA512
  
  4105c6a027a7e9b89f08cc635ea6cefab8f3c270b9ddb7915ef0232084cad96a1df3b328f97be653f7d5ccaa457396450d2189269ddf9379b24c5b182ca9e567
Score

10^/10

njrat evasion persistence trojan bootkit ransomware
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Modifies Windows Firewall
  evasion
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratevasionpersistencetrojan

behavioral2

njratbootkitevasionpersistenceransomwaretrojan