njrat | e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252b | Triage

Sharing

General

Target

e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252bN.exe
Size

9.2MB
Sample

241123-p3rgla1nhp
MD5

b6abda2d4b24cef28f9c2b62731fcfd0
SHA1

fdf3ae0bec83c2ec7d4e2883fc770e553b782a3d
SHA256

e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252b
SHA512

7e0f0835f7ce0d5fddfcd785ece05aff91f87fd6b95fce1b73c3464102af644a8e500338f5f1e75c648ee2b666089ab19350932a990f3cb9b2009bbcbfd721c2
SSDEEP

196608:z6/u1LqqyReuuQt8k9BAXbdV9qWLk/YrNcONQl4Ik+B8I4GA81G+LNaK:z6/58EBOXQ/YrN+l4IY5G19a

Score

10^/10

njrat defense_evasion discovery evasion persistence privilege_escalation pyinstaller themida trojan

Malware Config

Targets

- Target
  
  e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252bN.exe
- Size
  
  9.2MB
- MD5
  
  b6abda2d4b24cef28f9c2b62731fcfd0
- SHA1
  
  fdf3ae0bec83c2ec7d4e2883fc770e553b782a3d
- SHA256
  
  e02e5802bacccd459b9891b49146b4c24703da9397d49a16ada35c329651252b
- SHA512
  
  7e0f0835f7ce0d5fddfcd785ece05aff91f87fd6b95fce1b73c3464102af644a8e500338f5f1e75c648ee2b666089ab19350932a990f3cb9b2009bbcbfd721c2
- SSDEEP
  
  196608:z6/u1LqqyReuuQt8k9BAXbdV9qWLk/YrNcONQl4Ik+B8I4GA81G+LNaK:z6/58EBOXQ/YrN+l4IY5G19a
Score

10^/10

njrat defense_evasion discovery evasion persistence privilege_escalation themida trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

themidapyinstallernjrat

behavioral1

njratdefense_evasiondiscoveryevasionpersistenceprivilege_escalationthemidatrojan

behavioral2

njratdefense_evasiondiscoveryevasionpersistenceprivilege_escalationthemidatrojan