njrat | 4012e6a5c71823bebc6e0992ff1415cf04ef4a5ddb93233dd6b867fc1a907c6f | Triage

Sharing

General

Target

RTP_Launcher.exe
Size

11.3MB
Sample

250208-q611wazlgr
MD5

27d9f65b4d7ea7f8dc76517c634be635
SHA1

4baa5a473b5780ba33e749e43ef7363464bf6968
SHA256

4012e6a5c71823bebc6e0992ff1415cf04ef4a5ddb93233dd6b867fc1a907c6f
SHA512

b90fd210c34da79d1d7d526b1e8178c1e7fb0e5a1550eacec3492bf5843073edaa0369f7a0c81ab0996c88a20c742e385bace606b404caa5c513cbf1af68f9cc
SSDEEP

196608:Zqwdlup6/j7AGXyaP+RtZoPlbxfxKLZtz4uIZoGSV1gJCUepeNxJvLW7snujIvgB:xup6lXeY5ol4uIZoG0dUQeN71ucvgB99

Score

10^/10

njrat defense_evasion discovery execution persistence pyinstaller trojan

Malware Config

Targets

- Target
  
  RTP_Launcher.exe
- Size
  
  11.3MB
- MD5
  
  27d9f65b4d7ea7f8dc76517c634be635
- SHA1
  
  4baa5a473b5780ba33e749e43ef7363464bf6968
- SHA256
  
  4012e6a5c71823bebc6e0992ff1415cf04ef4a5ddb93233dd6b867fc1a907c6f
- SHA512
  
  b90fd210c34da79d1d7d526b1e8178c1e7fb0e5a1550eacec3492bf5843073edaa0369f7a0c81ab0996c88a20c742e385bace606b404caa5c513cbf1af68f9cc
- SSDEEP
  
  196608:Zqwdlup6/j7AGXyaP+RtZoPlbxfxKLZtz4uIZoGSV1gJCUepeNxJvLW7snujIvgB:xup6lXeY5ol4uIZoG0dUQeN71ucvgB99
Score

10^/10

njrat defense_evasion discovery execution persistence pyinstaller trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Downloads MZ/PE file
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

njratdefense_evasiondiscoveryexecutionpersistencepyinstallertrojan