njrat | 49a18048871592cf80308cd440394bb0b8c7f0edf005b14b24160d579236773f | Triage

Sharing

General

Target

49a18048871592cf80308cd440394bb0b8c7f0edf005b14b24160d579236773f
Size

282KB
Sample

221125-pg7axsbb6s
MD5

033d49d505d4acf1eabdd90d1d12b596
SHA1

d626e26ebe19098e0ffe73a3be6449229c9d3cd3
SHA256

49a18048871592cf80308cd440394bb0b8c7f0edf005b14b24160d579236773f
SHA512

d42a1282c3eea5402fcb1c1ae26cbed194b7c1775faf56c9fec92b61c25ab627438eb007fdffd25ac2dedded251c6ad323f8a153b74a2a9f10cf5a1811faf4b0
SSDEEP

6144:1IMYsG0EB52fG/LvDynga3Hm3271Cn0ZH3PWv+uwVYVt/GwK+GzYmtnDURdrwSkH:zEP2fG/LvDyngkDUnrgpyxr2vD3

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  49a18048871592cf80308cd440394bb0b8c7f0edf005b14b24160d579236773f
- Size
  
  282KB
- MD5
  
  033d49d505d4acf1eabdd90d1d12b596
- SHA1
  
  d626e26ebe19098e0ffe73a3be6449229c9d3cd3
- SHA256
  
  49a18048871592cf80308cd440394bb0b8c7f0edf005b14b24160d579236773f
- SHA512
  
  d42a1282c3eea5402fcb1c1ae26cbed194b7c1775faf56c9fec92b61c25ab627438eb007fdffd25ac2dedded251c6ad323f8a153b74a2a9f10cf5a1811faf4b0
- SSDEEP
  
  6144:1IMYsG0EB52fG/LvDynga3Hm3271Cn0ZH3PWv+uwVYVt/GwK+GzYmtnDURdrwSkH:zEP2fG/LvDyngkDUnrgpyxr2vD3
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan