njrat | eb0563fb96018f720b61096c6ef15a607568640710f817f1e0aa7e6e7a1e8009 | Triage

Sharing

General

Target

eb0563fb96018f720b61096c6ef15a607568640710f817f1e0aa7e6e7a1e8009
Size

419KB
Sample

221125-hmpvhahc46
MD5

b330803582bfe1bc82a28d9169052d9e
SHA1

5752a32a1096adffe12796f18f4aabb1945cc2ce
SHA256

eb0563fb96018f720b61096c6ef15a607568640710f817f1e0aa7e6e7a1e8009
SHA512

a8d8ccbc978598287d9cd51cee1556710b44203c18df26e1f459111f31723643cdc4115fd21efbe5bf583bcca8b9af85d7d8cf47c73fc6f085cd5a813697e329
SSDEEP

6144:9KIV7Fi1oUOMK+6rIqOkgRL2j6lQizFK/p03IA2mChvQ88U/xug:gUi1oX+OIugRL46lQizI03IA2mctrb

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  eb0563fb96018f720b61096c6ef15a607568640710f817f1e0aa7e6e7a1e8009
- Size
  
  419KB
- MD5
  
  b330803582bfe1bc82a28d9169052d9e
- SHA1
  
  5752a32a1096adffe12796f18f4aabb1945cc2ce
- SHA256
  
  eb0563fb96018f720b61096c6ef15a607568640710f817f1e0aa7e6e7a1e8009
- SHA512
  
  a8d8ccbc978598287d9cd51cee1556710b44203c18df26e1f459111f31723643cdc4115fd21efbe5bf583bcca8b9af85d7d8cf47c73fc6f085cd5a813697e329
- SSDEEP
  
  6144:9KIV7Fi1oUOMK+6rIqOkgRL2j6lQizFK/p03IA2mChvQ88U/xug:gUi1oX+OIugRL46lQizI03IA2mctrb
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan