njrat | f6a036cf49f5efff88cf2d2d43bbcff5e0f8c6c9176b94d6a2adbf7ca0064b7e | Triage

Sharing

General

Target

f6a036cf49f5efff88cf2d2d43bbcff5e0f8c6c9176b94d6a2adbf7ca0064b7e
Size

352KB
Sample

221124-vcchmsga97
MD5

40c56e434a5ec038e81b779c59167e04
SHA1

8497592cea36b22d60363128fe6f1c65affb4da9
SHA256

f6a036cf49f5efff88cf2d2d43bbcff5e0f8c6c9176b94d6a2adbf7ca0064b7e
SHA512

03c3df9e52b2dadc0ba277ea097f4525ca1159e255257a3dbe379d9f43adff1d182b63b2dc3144a206f82db0b13071e3ef1807f7bc2fb04135c60cc0a70434a1
SSDEEP

6144:BZBva6M7np6LDi6+eLn+n8Rh/98QNigfZEBqD/2N9DLPpk:VvkiDi6+eLn+8HOQNqqDODDL2

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  f6a036cf49f5efff88cf2d2d43bbcff5e0f8c6c9176b94d6a2adbf7ca0064b7e
- Size
  
  352KB
- MD5
  
  40c56e434a5ec038e81b779c59167e04
- SHA1
  
  8497592cea36b22d60363128fe6f1c65affb4da9
- SHA256
  
  f6a036cf49f5efff88cf2d2d43bbcff5e0f8c6c9176b94d6a2adbf7ca0064b7e
- SHA512
  
  03c3df9e52b2dadc0ba277ea097f4525ca1159e255257a3dbe379d9f43adff1d182b63b2dc3144a206f82db0b13071e3ef1807f7bc2fb04135c60cc0a70434a1
- SSDEEP
  
  6144:BZBva6M7np6LDi6+eLn+n8Rh/98QNigfZEBqD/2N9DLPpk:VvkiDi6+eLn+8HOQNqqDODDL2
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan