njrat | 3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff | Triage

Sharing

General

Target

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
Size

181KB
Sample

221125-sf5x9afc53
MD5

cee647a4ac53946dedff90ba3c406674
SHA1

53ce72e3726de9c0eb4e6e6f7c569ac210c789e4
SHA256

3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
SHA512

9c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73
SSDEEP

3072:y7lUBMjrEoqCZbI3//Be/elqW3jcrrI0m0JGLUPiV8+/PgsGHDY+TM0DSKk:C2Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+L

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
- Size
  
  181KB
- MD5
  
  cee647a4ac53946dedff90ba3c406674
- SHA1
  
  53ce72e3726de9c0eb4e6e6f7c569ac210c789e4
- SHA256
  
  3a0fdb8949f5f5783a0ef3009e71039fc74a0da5e691712cee4239ae9ce9f2ff
- SHA512
  
  9c728f58876ada1ce505f7780f71770d6b467222bf28b3a316c4053e50413f77d2aa78b59b5642a80acf1caeaba98133b30354e07b2ab2262488c1a962b0de73
- SSDEEP
  
  3072:y7lUBMjrEoqCZbI3//Be/elqW3jcrrI0m0JGLUPiV8+/PgsGHDY+TM0DSKk:C2Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+L
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan