njrat | 9cb6887c01bc56fd7aea651e506d64cb03372115d1a4a5b75f8d5e59c2332b0d | Triage

Sharing

General

Target

9cb6887c01bc56fd7aea651e506d64cb03372115d1a4a5b75f8d5e59c2332b0d
Size

432KB
Sample

221124-ag4sgahf8t
MD5

0891135f6b3117a7e0083017fdb4bc85
SHA1

e2c58b1819d978db070a85b59e6d7deeb3501454
SHA256

9cb6887c01bc56fd7aea651e506d64cb03372115d1a4a5b75f8d5e59c2332b0d
SHA512

cbfdfd96da484eb6d77c27c2fe7a13e96072535bd7d01f740a6cf2ededfbd6c46460870a6279cc1a1790ba9765204fad139bf9bea620002a124834ec2d6ced5a
SSDEEP

6144:3I8eR4QWSfvPePzvzR0OJJwdyVOYZRIPqwH0l25/txA:3I8eRrvPePHZwdyVOYZRIPqW5/t

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  9cb6887c01bc56fd7aea651e506d64cb03372115d1a4a5b75f8d5e59c2332b0d
- Size
  
  432KB
- MD5
  
  0891135f6b3117a7e0083017fdb4bc85
- SHA1
  
  e2c58b1819d978db070a85b59e6d7deeb3501454
- SHA256
  
  9cb6887c01bc56fd7aea651e506d64cb03372115d1a4a5b75f8d5e59c2332b0d
- SHA512
  
  cbfdfd96da484eb6d77c27c2fe7a13e96072535bd7d01f740a6cf2ededfbd6c46460870a6279cc1a1790ba9765204fad139bf9bea620002a124834ec2d6ced5a
- SSDEEP
  
  6144:3I8eR4QWSfvPePzvzR0OJJwdyVOYZRIPqwH0l25/txA:3I8eRrvPePHZwdyVOYZRIPqW5/t
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan