njrat | 6cf2ebb06c8534930bd6b309390a4fbaf18be95a0193dca8f0ff29c89abe6ea1 | Triage

Sharing

General

Target

6cf2ebb06c8534930bd6b309390a4fbaf18be95a0193dca8f0ff29c89abe6ea1
Size

500KB
Sample

221123-xetwtaeg64
MD5

01e3617a09cca6d34fe3a39d34adc974
SHA1

cac71a437ef1b9411488bdb4959403c9d859d6dd
SHA256

6cf2ebb06c8534930bd6b309390a4fbaf18be95a0193dca8f0ff29c89abe6ea1
SHA512

3d13f75a43baffffbbf9fb65321d45280d93a21760342ba177b691dfab2f4d775b281df59e64c605c9f058144544adfb3536a4cddd2958f9836a923869601641
SSDEEP

12288:s4vvfwYw2Q79D6H9QkbURy/ZjbbkPrreri0H+/5SiufX:s+fTb9tISiuf

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  6cf2ebb06c8534930bd6b309390a4fbaf18be95a0193dca8f0ff29c89abe6ea1
- Size
  
  500KB
- MD5
  
  01e3617a09cca6d34fe3a39d34adc974
- SHA1
  
  cac71a437ef1b9411488bdb4959403c9d859d6dd
- SHA256
  
  6cf2ebb06c8534930bd6b309390a4fbaf18be95a0193dca8f0ff29c89abe6ea1
- SHA512
  
  3d13f75a43baffffbbf9fb65321d45280d93a21760342ba177b691dfab2f4d775b281df59e64c605c9f058144544adfb3536a4cddd2958f9836a923869601641
- SSDEEP
  
  12288:s4vvfwYw2Q79D6H9QkbURy/ZjbbkPrreri0H+/5SiufX:s+fTb9tISiuf
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan