njrat | 0588d573745c53a3f229f8c18d1b8e9bf9b60a29d544ddee60dfa7c17c1f99ac | Triage

Sharing

General

Target

0588d573745c53a3f229f8c18d1b8e9bf9b60a29d544ddee60dfa7c17c1f99ac
Size

161KB
Sample

221128-w2awsabd4y
MD5

8dd53eed5a89571eb75c027283f9edd4
SHA1

0252a5f1e7ed0294fd621e78a460e1750255d460
SHA256

0588d573745c53a3f229f8c18d1b8e9bf9b60a29d544ddee60dfa7c17c1f99ac
SHA512

93da6cd3c09a7ee1bcbfad9fa0e5942a9aa7872f9681af5543ab71d04d8921bfc713b469a5ff4e9a907fa2d5efafd03307e4a2ed0086a943514ee4706e5dca81
SSDEEP

3072:5f8z/u1EHxxXjqPQWztSNUX7rn61wcjC1xucpLDFIB5U0n1bfB1DceJgmg:h82iWzE8vn61Zcbpfk1bJ5ceJb

Score

10^/10

njrat evasion persistence trojan

Malware Config

Targets

- Target
  
  0588d573745c53a3f229f8c18d1b8e9bf9b60a29d544ddee60dfa7c17c1f99ac
- Size
  
  161KB
- MD5
  
  8dd53eed5a89571eb75c027283f9edd4
- SHA1
  
  0252a5f1e7ed0294fd621e78a460e1750255d460
- SHA256
  
  0588d573745c53a3f229f8c18d1b8e9bf9b60a29d544ddee60dfa7c17c1f99ac
- SHA512
  
  93da6cd3c09a7ee1bcbfad9fa0e5942a9aa7872f9681af5543ab71d04d8921bfc713b469a5ff4e9a907fa2d5efafd03307e4a2ed0086a943514ee4706e5dca81
- SSDEEP
  
  3072:5f8z/u1EHxxXjqPQWztSNUX7rn61wcjC1xucpLDFIB5U0n1bfB1DceJgmg:h82iWzE8vn61Zcbpfk1bJ5ceJb
Score

10^/10

evasion persistence njrat trojan
- Modifies WinLogon for persistence
  persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

njratevasionpersistencetrojan