njrat | c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1

General

Target

c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1
Size

271B
Sample

240502-qt931sca88
MD5

b9acaac18eee9b5cde0c6defbe2c1caa
SHA1

6f8cb34d61f9136e96345684846edf49dfa976bc
SHA256

c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1
SHA512

70c8b3742c98e1daf2c7fda40c992621c2250a9dac648c4798370697f5688e1883162079909dd245a33fc064a843a94f84c7399b99bae9b6418a47b3c5e75e12

Score

10^/10

njrat h execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/SidM.jpg?alt=media&token=53ed6ff5-09e0-4464-a19c-f0e9d9c6cec8

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Ssid.jpg?alt=media&token=10629c63-3c23-437a-9543-4f9dcee695bb

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/prog-622b7.appspot.com/o/Rnew.jpg?alt=media&token=d68ad7e3-80ed-4083-ad53-8af401c5b503

Extracted

Family

njrat

Version

0.7d

Botnet

H

Attributes

splitter
|'|'|

Targets

- Target
  
  c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1
- Size
  
  271B
- MD5
  
  b9acaac18eee9b5cde0c6defbe2c1caa
- SHA1
  
  6f8cb34d61f9136e96345684846edf49dfa976bc
- SHA256
  
  c07598299d2d73883f23a3585740bca427eb733579c4a0fe2280593d116896f1
- SHA512
  
  70c8b3742c98e1daf2c7fda40c992621c2250a9dac648c4798370697f5688e1883162079909dd245a33fc064a843a94f84c7399b99bae9b6418a47b3c5e75e12
Score

10^/10

njrat h execution trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

njRAT/Bladabindi

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2