Extracted

• • Target

    Payload.exe

  • Size

    83KB

  • MD5

    534f369ccf6412aedd991e525a1e72ff

  • SHA1

    7ac06b4a71634ea87c47aa4d95debaea98728d59

  • SHA256

    bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f

  • SHA512

    fab8374a454d0cfe7b48439fb84337216056124889d8f882007fec18555cf97c96bbcbedaf59c3b56f25198c5dc00c7d0427f8fe72875c57538c54fdec7eb281

  • SSDEEP

    1536:7eB1Gt0g5eEkG9WQcGDWX3xIEpmugSgytVlVqKu0UxYy0hAc:o1GtR1kG9WQnDWX3xIEpmsLRVqKnUxXB

  Score

  10^/10

  njratvictimcredential_accessdefense_evasiondiscoveryexecutionpersistencespywarestealertrojanupx

  • Njrat family

    njrat

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Stops running service(s)

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2