njrat | 5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c | Triage

Sharing

General

Target

5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
Size

585KB
Sample

221125-vkn7eafa8s
MD5

593c49bcff04c91af78483c1d8d87cbd
SHA1

15499641c22650e742a2497b81de0fec8a6a5f84
SHA256

5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
SHA512

9523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf
SSDEEP

12288:YsTrR2sP7XY655ig1Gi9iDen9Fsl7ut0ZOwRdu+qMd0QZh9u:YsTrR5P7XY655ig1Gi9iDen9s7utuvvu

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
- Size
  
  585KB
- MD5
  
  593c49bcff04c91af78483c1d8d87cbd
- SHA1
  
  15499641c22650e742a2497b81de0fec8a6a5f84
- SHA256
  
  5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
- SHA512
  
  9523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf
- SSDEEP
  
  12288:YsTrR2sP7XY655ig1Gi9iDen9Fsl7ut0ZOwRdu+qMd0QZh9u:YsTrR5P7XY655ig1Gi9iDen9s7utuvvu
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan