njrat | c9283211fda1d75ffbc2b2435d44756fd948187af7e4f9631f322f61806c1cf0 | Triage

Sharing

General

Target

c9283211fda1d75ffbc2b2435d44756fd948187af7e4f9631f322f61806c1cf0
Size

28KB
Sample

221127-vlnl9sde48
MD5

e23f969078fdbc313ee426fca17ec4ab
SHA1

8e711355a8629889ce1fdac8455f088d84b5b875
SHA256

c9283211fda1d75ffbc2b2435d44756fd948187af7e4f9631f322f61806c1cf0
SHA512

49ef0db273df01245e1086136a1abc58522421d9b1f11e0826620265002dc17d852aac07029adef622cfbc3d2f7db4ada4af66b3994279d9eda5dc109a5bf9f1
SSDEEP

384:dOI2NgReSTHN+AYeLtlrJzlvE1MBplqskX7NALANs0LE22cJGMbiGvxw2IEMJSuW:ZhHNXYgTvQMvUsQCx0LHJHbF

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  c9283211fda1d75ffbc2b2435d44756fd948187af7e4f9631f322f61806c1cf0
- Size
  
  28KB
- MD5
  
  e23f969078fdbc313ee426fca17ec4ab
- SHA1
  
  8e711355a8629889ce1fdac8455f088d84b5b875
- SHA256
  
  c9283211fda1d75ffbc2b2435d44756fd948187af7e4f9631f322f61806c1cf0
- SHA512
  
  49ef0db273df01245e1086136a1abc58522421d9b1f11e0826620265002dc17d852aac07029adef622cfbc3d2f7db4ada4af66b3994279d9eda5dc109a5bf9f1
- SSDEEP
  
  384:dOI2NgReSTHN+AYeLtlrJzlvE1MBplqskX7NALANs0LE22cJGMbiGvxw2IEMJSuW:ZhHNXYgTvQMvUsQCx0LHJHbF
Score

10^/10

njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratevasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan