njrat | 3b8aabaa56450c6ce788b83b09a1118317712ddecd3a49efceaad043f1ee5795 | Triage

Submit
Reports

Overview

overview

Static

static

3

Setup.exe

windows10-1703-x64

Setup.exe

windows7-x64

Setup.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

Setup.exe
Size

224KB
Sample

230921-k1hpfsha35
MD5

f79f52b0bfe45c9639a0228a30e1f7ad
SHA1

f4566cf5db3ee3fd8d61413b4366e0f01531c1b3
SHA256

3b8aabaa56450c6ce788b83b09a1118317712ddecd3a49efceaad043f1ee5795
SHA512

4f0ec0541e56c7f07fa2fd90e5bf6b7c53f29f8c959eeff0aef2e7eb84a168b52eefed54d6656dbcefa7c8f50a7058d1f58567dacdf0d07271072562605983f0
SSDEEP

3072:yKsgyqI/cLLjGK0w7BSvwS24YGnFYYLd12rABAQnW49AMADn/Yh:V5Gw7EvwkXnFYC2r4dW49

Score

10^/10

njrat evasion persistence spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Setup.exe

Resource

win10-20230915-en

njrat evasion persistence spyware stealer trojan upx

windows10-1703-x64

16 signatures

1800 seconds

Behavioral task

behavioral2

Sample

Setup.exe

Resource

win7-20230831-en

njrat evasion persistence spyware stealer trojan upx

windows7-x64

16 signatures

1800 seconds

Behavioral task

behavioral3

Sample

Setup.exe

Resource

win10v2004-20230915-en

njrat evasion persistence spyware stealer trojan upx

windows10-2004-x64

17 signatures

1800 seconds

Malware Config

Targets

- Target
  
  Setup.exe
- Size
  
  224KB
- MD5
  
  f79f52b0bfe45c9639a0228a30e1f7ad
- SHA1
  
  f4566cf5db3ee3fd8d61413b4366e0f01531c1b3
- SHA256
  
  3b8aabaa56450c6ce788b83b09a1118317712ddecd3a49efceaad043f1ee5795
- SHA512
  
  4f0ec0541e56c7f07fa2fd90e5bf6b7c53f29f8c959eeff0aef2e7eb84a168b52eefed54d6656dbcefa7c8f50a7058d1f58567dacdf0d07271072562605983f0
- SSDEEP
  
  3072:yKsgyqI/cLLjGK0w7BSvwS24YGnFYYLd12rABAQnW49AMADn/Yh:V5Gw7EvwkXnFYC2r4dW49
Score

10^/10

njrat evasion persistence spyware stealer trojan upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Scripting

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

njratevasionpersistencespywarestealertrojanupx

behavioral2

njratevasionpersistencespywarestealertrojanupx

behavioral3

njratevasionpersistencespywarestealertrojanupx

© 2018-2025

Terms | Privacy