njrat | f92ba9ee6557729cd10ecf39309656c92430adbe44b2f8846718fd6c3a7f6b76 | Triage

Sharing

General

Target

f92ba9ee6557729cd10ecf39309656c92430adbe44b2f8846718fd6c3a7f6b76
Size

108KB
Sample

221124-2nhmcsdg27
MD5

3f093d8d048a12f3624fa04a94c4db1c
SHA1

1db63eac595c764dd5c9e8e628c9e62f866e26e5
SHA256

f92ba9ee6557729cd10ecf39309656c92430adbe44b2f8846718fd6c3a7f6b76
SHA512

f5a72fa4dfac83e7a2186a84e445074c656fbba7d35d93cd90c1b5f5e86f731eff64c41289d041193fd62662f5b6f2bbedbd3d6316360f4004a892ba7d237d4d
SSDEEP

1536:6C7bcfsbgxwvFahJKTLKRMp41VPmuvQbDJZp9iXp3qB40qnFT0:d9bgxwdahMLkYmmpblZp9iZv0qn

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  f92ba9ee6557729cd10ecf39309656c92430adbe44b2f8846718fd6c3a7f6b76
- Size
  
  108KB
- MD5
  
  3f093d8d048a12f3624fa04a94c4db1c
- SHA1
  
  1db63eac595c764dd5c9e8e628c9e62f866e26e5
- SHA256
  
  f92ba9ee6557729cd10ecf39309656c92430adbe44b2f8846718fd6c3a7f6b76
- SHA512
  
  f5a72fa4dfac83e7a2186a84e445074c656fbba7d35d93cd90c1b5f5e86f731eff64c41289d041193fd62662f5b6f2bbedbd3d6316360f4004a892ba7d237d4d
- SSDEEP
  
  1536:6C7bcfsbgxwvFahJKTLKRMp41VPmuvQbDJZp9iXp3qB40qnFT0:d9bgxwdahMLkYmmpblZp9iZv0qn
Score

10^/10

njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratevasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan