njrat | ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30

General

Target

c39d3e6cc6336562fed7fe6f1d4f05a1.exe
Size

221KB
MD5

c39d3e6cc6336562fed7fe6f1d4f05a1
SHA1

bce78fe671213b28f7ef11d992decac9bb8f9037
SHA256

ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30
SHA512

3cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39

Score

10^/10

njrat hackked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HackKed

C2

173.225.115.68:5353

Mutex

f2f557f71c86cd14f7ea630d1c319240

Attributes

reg_key
f2f557f71c86cd14f7ea630d1c319240
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

microsoft.exe

pid process

820 microsoft.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

c39d3e6cc6336562fed7fe6f1d4f05a1.exe

pid process

736 c39d3e6cc6336562fed7fe6f1d4f05a1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
820	microsoft.exe

pid	process
736	c39d3e6cc6336562fed7fe6f1d4f05a1.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

microsoft.exe

description	pid	process
Token: SeDebugPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe
Token: 33	820	microsoft.exe
Token: SeIncBasePriorityPrivilege	820	microsoft.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c39d3e6cc6336562fed7fe6f1d4f05a1.exemicrosoft.exe

description	pid	process	target process
PID 736 wrote to memory of 820	736	c39d3e6cc6336562fed7fe6f1d4f05a1.exe	microsoft.exe
PID 736 wrote to memory of 820	736	c39d3e6cc6336562fed7fe6f1d4f05a1.exe	microsoft.exe
PID 736 wrote to memory of 820	736	c39d3e6cc6336562fed7fe6f1d4f05a1.exe	microsoft.exe
PID 736 wrote to memory of 820	736	c39d3e6cc6336562fed7fe6f1d4f05a1.exe	microsoft.exe
PID 820 wrote to memory of 1196	820	microsoft.exe	netsh.exe
PID 820 wrote to memory of 1196	820	microsoft.exe	netsh.exe
PID 820 wrote to memory of 1196	820	microsoft.exe	netsh.exe
PID 820 wrote to memory of 1196	820	microsoft.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c39d3e6cc6336562fed7fe6f1d4f05a1.exe
"C:\Users\Admin\AppData\Local\Temp\c39d3e6cc6336562fed7fe6f1d4f05a1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\microsoft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\microsoft.exe" "microsoft.exe" ENABLE
3⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\microsoft.exe
MD5
c39d3e6cc6336562fed7fe6f1d4f05a1

SHA1
bce78fe671213b28f7ef11d992decac9bb8f9037

SHA256
ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30

SHA512
3cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoft.exe
MD5
c39d3e6cc6336562fed7fe6f1d4f05a1

SHA1
bce78fe671213b28f7ef11d992decac9bb8f9037

SHA256
ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30

SHA512
3cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39

Download Submit
\Users\Admin\AppData\Local\Temp\microsoft.exe
MD5
c39d3e6cc6336562fed7fe6f1d4f05a1

SHA1
bce78fe671213b28f7ef11d992decac9bb8f9037

SHA256
ee8671c0d32759c62ef7aa0b4025fcebdf5409619dd280b9e4db59f01d9a4e30

SHA512
3cd0be68ec7b699a5addb197e7423e6318f65658aedcd90fefe445fcaa6c8fd4a2b6532c60c81a78d958fd73500d57c1ded1f43795c4d7f0c0077d837a81bf39

Download Submit
memory/820-3-0x0000000000000000-mapping.dmp

Download
memory/1196-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing