njrat | 97aa0bd887fc098b4ee45fb85abc29224b799e081c4d8910a574bb06cc055d6d | Triage

Sharing

General

Target

97aa0bd887fc098b4ee45fb85abc29224b799e081c4d8910a574bb06cc055d6d
Size

124KB
Sample

221125-h8staaec7y
MD5

840b83b5502535a2c3aaea19f33cc1b2
SHA1

f1d303370b2d40411cd56d6068c7c3a3d4ecd94f
SHA256

97aa0bd887fc098b4ee45fb85abc29224b799e081c4d8910a574bb06cc055d6d
SHA512

113b88db22a08c158493ee92018096012deee8705e3c3cf8a2d87775632c9bcbc9ae97d9ea397527a423a5314975b0a9cfbb1f880d2ffebb24967e60e4c8726f
SSDEEP

1536:A1uhNcWrbho4GpsNgEX6YaSd4Psq0PXpmWu79B1ArPUco9FLdS1EAd4kkVIIOQSu:rNcW3wsBraBIpPQMPozgEAQIIOG

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  97aa0bd887fc098b4ee45fb85abc29224b799e081c4d8910a574bb06cc055d6d
- Size
  
  124KB
- MD5
  
  840b83b5502535a2c3aaea19f33cc1b2
- SHA1
  
  f1d303370b2d40411cd56d6068c7c3a3d4ecd94f
- SHA256
  
  97aa0bd887fc098b4ee45fb85abc29224b799e081c4d8910a574bb06cc055d6d
- SHA512
  
  113b88db22a08c158493ee92018096012deee8705e3c3cf8a2d87775632c9bcbc9ae97d9ea397527a423a5314975b0a9cfbb1f880d2ffebb24967e60e4c8726f
- SSDEEP
  
  1536:A1uhNcWrbho4GpsNgEX6YaSd4Psq0PXpmWu79B1ArPUco9FLdS1EAd4kkVIIOQSu:rNcW3wsBraBIpPQMPozgEAQIIOG
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan