njrat | 0c8e9450e4da34f82d2c7dc00dc2969fd1557fd074ba1ba5e743cfeebd010634

General

Target

20f6117d283429b37fe69bac1c359ae2.exe
Size

483KB
MD5

20f6117d283429b37fe69bac1c359ae2
SHA1

b7da29f00ccbc21afcdee37e555881bbeafc8dd3
SHA256

0c8e9450e4da34f82d2c7dc00dc2969fd1557fd074ba1ba5e743cfeebd010634
SHA512

f989093dcc5c5bad8bd4d6224d5153170f1f3be5f563c79ef0bdf4684abc4174a2d4c47b6f81eceb931cbb1077a35f0948a45bd09605430778e0f05c7b9d2db6

Score

10^/10

njrat victima evasion trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victima

C2

ctaenl.hopto.org:5552

Mutex

a051d95b93b260b31c1eaef96aa2d0fa

Attributes

reg_key
a051d95b93b260b31c1eaef96aa2d0fa
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

o8bm4.exe

pid process

1168 o8bm4.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1168	o8bm4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1692-11-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1692-13-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1692-14-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1692-15-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

WScript.exe

pid process

1816 WScript.exe
1816 WScript.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 2 IoCs

Processes:

o8bm4.exevbc.exe

description pid process target process

PID 1168 set thread context of 1692 1168 o8bm4.exe vbc.exe
PID 1692 set thread context of 1468 1692 vbc.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1328 PING.EXE

pid	process
1816	WScript.exe
1816	WScript.exe

description	pid	process	target process
PID 1168 set thread context of 1692	1168	o8bm4.exe	vbc.exe
PID 1692 set thread context of 1468	1692	vbc.exe	RegAsm.exe

pid	process
1328	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vbc.exe

pid	process
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe
Token: 33	1468	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1468	RegAsm.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

20f6117d283429b37fe69bac1c359ae2.exeWScript.exeo8bm4.exevbc.execmd.exeRegAsm.exe

description	pid	process	target process
PID 868 wrote to memory of 1816	868	20f6117d283429b37fe69bac1c359ae2.exe	WScript.exe
PID 868 wrote to memory of 1816	868	20f6117d283429b37fe69bac1c359ae2.exe	WScript.exe
PID 868 wrote to memory of 1816	868	20f6117d283429b37fe69bac1c359ae2.exe	WScript.exe
PID 868 wrote to memory of 1816	868	20f6117d283429b37fe69bac1c359ae2.exe	WScript.exe
PID 868 wrote to memory of 1816	868	20f6117d283429b37fe69bac1c359ae2.exe	WScript.exe
PID 868 wrote to memory of 1816	868	20f6117d283429b37fe69bac1c359ae2.exe	WScript.exe
PID 868 wrote to memory of 1816	868	20f6117d283429b37fe69bac1c359ae2.exe	WScript.exe
PID 1816 wrote to memory of 1168	1816	WScript.exe	o8bm4.exe
PID 1816 wrote to memory of 1168	1816	WScript.exe	o8bm4.exe
PID 1816 wrote to memory of 1168	1816	WScript.exe	o8bm4.exe
PID 1816 wrote to memory of 1168	1816	WScript.exe	o8bm4.exe
PID 1816 wrote to memory of 1168	1816	WScript.exe	o8bm4.exe
PID 1816 wrote to memory of 1168	1816	WScript.exe	o8bm4.exe
PID 1816 wrote to memory of 1168	1816	WScript.exe	o8bm4.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1168 wrote to memory of 1692	1168	o8bm4.exe	vbc.exe
PID 1692 wrote to memory of 1144	1692	vbc.exe	cmd.exe
PID 1692 wrote to memory of 1144	1692	vbc.exe	cmd.exe
PID 1692 wrote to memory of 1144	1692	vbc.exe	cmd.exe
PID 1692 wrote to memory of 1144	1692	vbc.exe	cmd.exe
PID 1692 wrote to memory of 1144	1692	vbc.exe	cmd.exe
PID 1692 wrote to memory of 1144	1692	vbc.exe	cmd.exe
PID 1692 wrote to memory of 1144	1692	vbc.exe	cmd.exe
PID 1144 wrote to memory of 1328	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 1328	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 1328	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 1328	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 1328	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 1328	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 1328	1144	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1692 wrote to memory of 1468	1692	vbc.exe	RegAsm.exe
PID 1468 wrote to memory of 756	1468	RegAsm.exe	netsh.exe
PID 1468 wrote to memory of 756	1468	RegAsm.exe	netsh.exe
PID 1468 wrote to memory of 756	1468	RegAsm.exe	netsh.exe
PID 1468 wrote to memory of 756	1468	RegAsm.exe	netsh.exe
PID 1468 wrote to memory of 756	1468	RegAsm.exe	netsh.exe
PID 1468 wrote to memory of 756	1468	RegAsm.exe	netsh.exe
PID 1468 wrote to memory of 756	1468	RegAsm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\20f6117d283429b37fe69bac1c359ae2.exe
"C:\Users\Admin\AppData\Local\Temp\20f6117d283429b37fe69bac1c359ae2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\w1p4v\yccov.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
"C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && move C:\xNgHYmxNgHYm\xNgHYm.vbs "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xNgHYm.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
6⤵
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
MD5
0ed4bb653dccc67fa9a37422c5bb587f

SHA1
06c3aab82c709b5e4353fc8090bd9b565ea85498

SHA256
3cefd35a9cd76871ee2d5faf20926d503dc707150e08e73ed6d6c80f10be273b

SHA512
b70f0619ba0910a42293f1071092a4c43b690c08619a4c0f1f8fd7d31ec869c82775fc848f4ccb5f08ca8cc2140e110b6a75157201cf2cb9517b1126f42faf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
MD5
0ed4bb653dccc67fa9a37422c5bb587f

SHA1
06c3aab82c709b5e4353fc8090bd9b565ea85498

SHA256
3cefd35a9cd76871ee2d5faf20926d503dc707150e08e73ed6d6c80f10be273b

SHA512
b70f0619ba0910a42293f1071092a4c43b690c08619a4c0f1f8fd7d31ec869c82775fc848f4ccb5f08ca8cc2140e110b6a75157201cf2cb9517b1126f42faf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1p4v\x
MD5
2ae6b6660839dc98ab178a4f8b4267aa

SHA1
f1fb13fd962bf7779f13d0c9d37c5d252cdc726f

SHA256
645babf81e154bb6f4582fa5bdf63187b2b77ee0d0e4058cf342907c37972534

SHA512
67e747ec0800fb8015aec8162d9ee06cba8a79f23b08b80cb44b037d4e885aad886c516e5dacec1ce6b9547e3ad6356003783e351c7210d47d66400bc3b12d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1p4v\yccov.vbs
MD5
85d670b0e028eb13daa56193f4565b01

SHA1
bb6b7c6c2abd32658f85f511de9ec1f2de702f0f

SHA256
4e022fedf5bc6b7714c96b6c8e6247d7dd6a0313dec890f9a24e1962e57bf22c

SHA512
c7e1181b7d777e1ef7a0dc90ae05b2a2ab166459c7f1c3805291902ed8343c5fc70b6e8734753e4e65023d7065c995b25468f109612c8aab52d365ba19cd4701

Download Submit
C:\xNgHYmxNgHYm\xNgHYm.vbs
MD5
467cc35796c2abc2dfe8caf6a3b034e2

SHA1
85008cbf4ccbaac7a53dfa9a63a4b5c2badda34e

SHA256
13684703bf92bb87876e01e16a9001318cb168ca1c7c7a38718e39f7fb89c290

SHA512
b7ba5a0c0a83f02578d70b7b3e2c197f25145753ddd77f83a195ffdd3a5d9a12ce0c1543cdfd339c981512892f599477a68f268b3e9473e94520ec879ad97a09

Download Submit
\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
MD5
0ed4bb653dccc67fa9a37422c5bb587f

SHA1
06c3aab82c709b5e4353fc8090bd9b565ea85498

SHA256
3cefd35a9cd76871ee2d5faf20926d503dc707150e08e73ed6d6c80f10be273b

SHA512
b70f0619ba0910a42293f1071092a4c43b690c08619a4c0f1f8fd7d31ec869c82775fc848f4ccb5f08ca8cc2140e110b6a75157201cf2cb9517b1126f42faf20

Download Submit
\Users\Admin\AppData\Local\Temp\w1p4v\o8bm4.exe
MD5
0ed4bb653dccc67fa9a37422c5bb587f

SHA1
06c3aab82c709b5e4353fc8090bd9b565ea85498

SHA256
3cefd35a9cd76871ee2d5faf20926d503dc707150e08e73ed6d6c80f10be273b

SHA512
b70f0619ba0910a42293f1071092a4c43b690c08619a4c0f1f8fd7d31ec869c82775fc848f4ccb5f08ca8cc2140e110b6a75157201cf2cb9517b1126f42faf20

Download Submit
memory/756-37-0x0000000000000000-mapping.dmp

Download
memory/1144-16-0x0000000000000000-mapping.dmp

Download
memory/1168-7-0x0000000000000000-mapping.dmp

Download
memory/1328-17-0x0000000000000000-mapping.dmp

Download
memory/1468-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1468-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1468-20-0x000000000040747E-mapping.dmp

Download
memory/1468-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1692-23-0x0000000002A10000-0x0000000002A21000-memory.dmp

Filesize
68KB

Download
memory/1692-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1692-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1692-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1692-12-0x0000000000422660-mapping.dmp

Download
memory/1692-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1692-24-0x0000000002E20000-0x0000000002E31000-memory.dmp

Filesize
68KB

Download
memory/1692-25-0x0000000002A10000-0x0000000002A21000-memory.dmp

Filesize
68KB

Download
memory/1692-138-0x0000000002710000-0x0000000002721000-memory.dmp

Filesize
68KB

Download
memory/1692-139-0x0000000002B20000-0x0000000002B31000-memory.dmp

Filesize
68KB

Download
memory/1692-140-0x0000000002710000-0x0000000002721000-memory.dmp

Filesize
68KB

Download
memory/1816-2-0x0000000000000000-mapping.dmp

Download
memory/1816-9-0x0000000002A80000-0x0000000002A84000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads