njrat | 6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80 | Triage

Sharing

General

Target

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
Size

566KB
Sample

221125-rvmjsadh48
MD5

7cd871c5dae7dfee205ac811f0d461d7
SHA1

9d564accbfefafeda236574750a4dcb481e187fa
SHA256

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
SHA512

f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4
SSDEEP

6144:12Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+5l+anN40ty2or87P9U3ERvYb:5JEJP0TB76uJDf5lTnqe7q3sY

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
- Size
  
  566KB
- MD5
  
  7cd871c5dae7dfee205ac811f0d461d7
- SHA1
  
  9d564accbfefafeda236574750a4dcb481e187fa
- SHA256
  
  6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
- SHA512
  
  f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4
- SSDEEP
  
  6144:12Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+5l+anN40ty2or87P9U3ERvYb:5JEJP0TB76uJDf5lTnqe7q3sY
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan