Extracted

• • Target

    MasonTestingClient.exe

  • Size

    43KB

  • MD5

    ae384612f305b59915b0f2e7655d4fd5

  • SHA1

    d1601fb78141d5e47ce4d07a8aba7425a7976a98

  • SHA256

    af740cd97a38f0c8caa0de014c1a164f9615395f568595cfda8f8b31a4eb152e

  • SHA512

    7a6b039ebc426963edb0065d0d67d9014ce5cc1745b4aa5183f2e8b3cc468b9a01595e69bed00fed364a3113f8a660cee7677514ca9775e13dbf195fac121066

  • SSDEEP

    768:E15gfT7Ts1CEZzSQ5PZIbJ0lzVWSj6PqrONh8uQfEi:E154Ts19ZzSQDIbJczV5j6yrONJ/i

  Score

  10^/10

  executionpersistencenjratbyabolhbtrojan

  • Njrat family

    njrat

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2