njrat | b160628daaa564297380332b5e854f217a1ceb3af5a1031b982b6884d6a45741 | Triage

Sharing

General

Target

b160628daaa564297380332b5e854f217a1ceb3af5a1031b982b6884d6a45741
Size

212KB
Sample

221125-h2z9sadg7w
MD5

1e2a4e33b52c40d1f88488229339c49a
SHA1

8eaf1a1bfc40ae0c1e8d2903a7f32c59d87fad81
SHA256

b160628daaa564297380332b5e854f217a1ceb3af5a1031b982b6884d6a45741
SHA512

67b8322fbad551618e675a6a04e8743a95d07b306ad887df99f8aa960d2dd375aaa85035266d5d9c9fa7da36b639176787483645e6e89ad9f0862a99878cefa3
SSDEEP

3072:5D4N92eb5lbL9L9CaUsC8fnC5TfYlKdE9vEoi8sIWAcRO4is+K:5D4rbHTCaUsC8xj2RbR3

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  b160628daaa564297380332b5e854f217a1ceb3af5a1031b982b6884d6a45741
- Size
  
  212KB
- MD5
  
  1e2a4e33b52c40d1f88488229339c49a
- SHA1
  
  8eaf1a1bfc40ae0c1e8d2903a7f32c59d87fad81
- SHA256
  
  b160628daaa564297380332b5e854f217a1ceb3af5a1031b982b6884d6a45741
- SHA512
  
  67b8322fbad551618e675a6a04e8743a95d07b306ad887df99f8aa960d2dd375aaa85035266d5d9c9fa7da36b639176787483645e6e89ad9f0862a99878cefa3
- SSDEEP
  
  3072:5D4N92eb5lbL9L9CaUsC8fnC5TfYlKdE9vEoi8sIWAcRO4is+K:5D4rbHTCaUsC8xj2RbR3
Score

10^/10

njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

njratevasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan