njrat | 4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a | Triage

Sharing

General

Target

4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a
Size

1.8MB
Sample

221127-tlavqsae96
MD5

9936b39d4d84bd70a79d8cf2bc03fa32
SHA1

ed6b8dd72fdbca4e5528573bbdb25af8b9493d8f
SHA256

4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a
SHA512

00b6ffedac3b9e9146699e7a0b656bd1a59925aea929c5dd3e64cece2e80f621a63acd58ed19ead7784719a8b1c2510dfa8080fb172de4f3a924583f0d5967d3
SSDEEP

49152:AZzO43KtaISugRed1bVkanj8dV1LRwH6DaQtdvSkPkN:ptaDi8V9Rw6X6kPk

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a
- Size
  
  1.8MB
- MD5
  
  9936b39d4d84bd70a79d8cf2bc03fa32
- SHA1
  
  ed6b8dd72fdbca4e5528573bbdb25af8b9493d8f
- SHA256
  
  4bc7cb14d05b166d64ea645bf8b376e375cd91e9816cf4e14dd24dfe74ad972a
- SHA512
  
  00b6ffedac3b9e9146699e7a0b656bd1a59925aea929c5dd3e64cece2e80f621a63acd58ed19ead7784719a8b1c2510dfa8080fb172de4f3a924583f0d5967d3
- SSDEEP
  
  49152:AZzO43KtaISugRed1bVkanj8dV1LRwH6DaQtdvSkPkN:ptaDi8V9Rw6X6kPk
Score

10^/10

evasion persistence njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan