njrat | 7c4177f841e33098ff6c34c8bd7c31b9f26e81593c3fbac4bf6833edb1f87471 | Triage

Sharing

General

Target

7c4177f841e33098ff6c34c8bd7c31b9f26e81593c3fbac4bf6833edb1f87471
Size

103KB
Sample

221124-3bvxlafb48
MD5

6134ec7d1283de4eaaa6fec2a8506768
SHA1

673238ff49a3168d01678bdcb5c950b66edbc88a
SHA256

7c4177f841e33098ff6c34c8bd7c31b9f26e81593c3fbac4bf6833edb1f87471
SHA512

44245dee219f1d7c7d6c2d65e4a00465df1d0db9a22e918eea413cf38a4fa4b62b687da9d6b6dcaa344ec15bd7986c12756984dbc61addcdb6d001072948d7dd
SSDEEP

1536:T+nJ8sXNh0ReMTPu/J3li7ynvuI4yso7ULr1ifvAs8i87+DktUC:6J8kNiRR7O3l9v0yuEfvA/i87qDC

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  7c4177f841e33098ff6c34c8bd7c31b9f26e81593c3fbac4bf6833edb1f87471
- Size
  
  103KB
- MD5
  
  6134ec7d1283de4eaaa6fec2a8506768
- SHA1
  
  673238ff49a3168d01678bdcb5c950b66edbc88a
- SHA256
  
  7c4177f841e33098ff6c34c8bd7c31b9f26e81593c3fbac4bf6833edb1f87471
- SHA512
  
  44245dee219f1d7c7d6c2d65e4a00465df1d0db9a22e918eea413cf38a4fa4b62b687da9d6b6dcaa344ec15bd7986c12756984dbc61addcdb6d001072948d7dd
- SSDEEP
  
  1536:T+nJ8sXNh0ReMTPu/J3li7ynvuI4yso7ULr1ifvAs8i87+DktUC:6J8kNiRR7O3l9v0yuEfvA/i87qDC
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan