njrat | 8a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81

General

Target

27643633696fa248a0b4c71e49615434.exe
Size

31KB
MD5

27643633696fa248a0b4c71e49615434
SHA1

649381492b07b574498b09fb8660594c01051860
SHA256

8a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81
SHA512

a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e

Score

10^/10

njrat mybot evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

4.tcp.ngrok.io:13423

Mutex

5b1aa42c8adf5af0231d2d07c548dec2

Attributes

reg_key
5b1aa42c8adf5af0231d2d07c548dec2
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

WindowsServices.exe

pid process

1580 WindowsServices.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

27643633696fa248a0b4c71e49615434.exe

pid process

1820 27643633696fa248a0b4c71e49615434.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1580	WindowsServices.exe

pid	process
1820	27643633696fa248a0b4c71e49615434.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

WindowsServices.exe

description	pid	process
Token: SeDebugPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe
Token: 33	1580	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1580	WindowsServices.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

27643633696fa248a0b4c71e49615434.exeWindowsServices.exe

description	pid	process	target process
PID 1820 wrote to memory of 1580	1820	27643633696fa248a0b4c71e49615434.exe	WindowsServices.exe
PID 1820 wrote to memory of 1580	1820	27643633696fa248a0b4c71e49615434.exe	WindowsServices.exe
PID 1820 wrote to memory of 1580	1820	27643633696fa248a0b4c71e49615434.exe	WindowsServices.exe
PID 1820 wrote to memory of 1580	1820	27643633696fa248a0b4c71e49615434.exe	WindowsServices.exe
PID 1580 wrote to memory of 768	1580	WindowsServices.exe	netsh.exe
PID 1580 wrote to memory of 768	1580	WindowsServices.exe	netsh.exe
PID 1580 wrote to memory of 768	1580	WindowsServices.exe	netsh.exe
PID 1580 wrote to memory of 768	1580	WindowsServices.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\27643633696fa248a0b4c71e49615434.exe
"C:\Users\Admin\AppData\Local\Temp\27643633696fa248a0b4c71e49615434.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
3⤵
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
MD5
27643633696fa248a0b4c71e49615434

SHA1
649381492b07b574498b09fb8660594c01051860

SHA256
8a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81

SHA512
a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
MD5
27643633696fa248a0b4c71e49615434

SHA1
649381492b07b574498b09fb8660594c01051860

SHA256
8a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81

SHA512
a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsServices.exe
MD5
27643633696fa248a0b4c71e49615434

SHA1
649381492b07b574498b09fb8660594c01051860

SHA256
8a6cb8e4c30304c28e48f7b231566f6cb6b0003f333ad391182d9e60ad822f81

SHA512
a2d429ae10f5f1011d46f11599ee436b3497fda11910d8f10cba2508386b340da44d046925bbe419a26fe19b0bfb93eadb5f4458977f14dbd09b17f119845f5e

Download Submit
memory/768-68-0x0000000000000000-mapping.dmp

Download
memory/1580-63-0x0000000000000000-mapping.dmp

Download
memory/1580-67-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1820-61-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing