njrat | 3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383 | Triage

Sharing

General

Target

3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383
Size

193KB
Sample

221002-l71paacahk
MD5

67af7bfc251b66e12da5d08a1e45fba0
SHA1

67b7a665847884f855321b33136052bdc9fc4b72
SHA256

3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383
SHA512

a7e62bd841be84f4f66a3e99a7191ffa554c6ba488b895f3e23d04c11da9128650cf142589a98fc6ae51fd22ae4c6807bf3e538797271e0ecb755e98e8fd52fb
SSDEEP

3072:YNObDvd2vvqgZ9nhEDAVIonwz8WNvjQH2vOBkvuHozZhDHKW4d6Enial0WRBAgVI:YBvvqgZ9nh2jQH2WBSURzlBjI

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383
- Size
  
  193KB
- MD5
  
  67af7bfc251b66e12da5d08a1e45fba0
- SHA1
  
  67b7a665847884f855321b33136052bdc9fc4b72
- SHA256
  
  3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383
- SHA512
  
  a7e62bd841be84f4f66a3e99a7191ffa554c6ba488b895f3e23d04c11da9128650cf142589a98fc6ae51fd22ae4c6807bf3e538797271e0ecb755e98e8fd52fb
- SSDEEP
  
  3072:YNObDvd2vvqgZ9nhEDAVIonwz8WNvjQH2vOBkvuHozZhDHKW4d6Enial0WRBAgVI:YBvvqgZ9nh2jQH2WBSURzlBjI
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan