Extracted

• • Target

    ce681c13d13cdb9a2e2e5ee042522d32c473033cc80636ef75a74da982c8d275

  • Size

    566KB

  • MD5

    2be09f962ffbee8d412fc375478a0ebd

  • SHA1

    2757c6eb883b692cbc2611d1d02be3ccc2e5e1e7

  • SHA256

    ce681c13d13cdb9a2e2e5ee042522d32c473033cc80636ef75a74da982c8d275

  • SHA512

    1bc701bf3738828290e4b8ea10422585ea649b2f1f1c4df723e37243e1053154db50f24f016142ecb06bab9524fde29eed7e769a67e2c3819b011a06bf0cee1f

  • SSDEEP

    12288:rBk0HioBu3yCeOr0rS6KsXr7ieWCUjyB0aI78IV:rBREyCTr0rFf7aCZB0

  Score

  10^/10

  njrathackeddefense_evasionpersistenceprivilege_escalationtrojandiscoveryexecution

  • Njrat family

    njrat

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Hide Artifacts: Hidden Window

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  behavioral1behavioral2