njrat | c8ad2a5b3da748a73f4ba9497f5d7674735f93716b9454fea5db13c7d5d0ee68

General

Target

8bc16349fad1dd201cf7929eb7ae7fce.exe
Size

1.1MB
MD5

8bc16349fad1dd201cf7929eb7ae7fce
SHA1

8a4eeb9c27e09c9e970f63731f9137013ad83c19
SHA256

c8ad2a5b3da748a73f4ba9497f5d7674735f93716b9454fea5db13c7d5d0ee68
SHA512

b7fba6f2c4694ff7c48c3b136c37a3f456e1bcf9a5aeb32fcd3eb9b51dcfe2f8ab1c2d0242a6ce0e1f7c75c9fa45d11c6a36ea46cc91e56fcabfa4e966f9f5c3

Score

10^/10

njrat tax_mon_30_08 evasion trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

TAX_MON_30_08

C2

37.120.141.158:18892

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 1 IoCs

Processes:

8bc16349fad1dd201cf7929eb7ae7fce.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	8bc16349fad1dd201cf7929eb7ae7fce.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

8bc16349fad1dd201cf7929eb7ae7fce.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	8bc16349fad1dd201cf7929eb7ae7fce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\鄊鄶酂鄄鄟鄅鄵鄉鄷鄌酀鄅酊鄻鄊\svchost.exe = "0"	8bc16349fad1dd201cf7929eb7ae7fce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe = "0"	8bc16349fad1dd201cf7929eb7ae7fce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	8bc16349fad1dd201cf7929eb7ae7fce.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8bc16349fad1dd201cf7929eb7ae7fce.exe

description pid process target process

PID 4648 set thread context of 1276 4648 8bc16349fad1dd201cf7929eb7ae7fce.exe 8bc16349fad1dd201cf7929eb7ae7fce.exe

description	pid	process	target process
PID 4648 set thread context of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe

Drops file in Windows directory 2 IoCs

Processes:

8bc16349fad1dd201cf7929eb7ae7fce.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\鄊鄶酂鄄鄟鄅鄵鄉鄷鄌酀鄅酊鄻鄊\svchost.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\鄊鄶酂鄄鄟鄅鄵鄉鄷鄌酀鄅酊鄻鄊\svchost.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exe8bc16349fad1dd201cf7929eb7ae7fce.exe

pid	process
4228	powershell.exe
496	powershell.exe
4272	powershell.exe
496	powershell.exe
4272	powershell.exe
4228	powershell.exe
4228	powershell.exe
4272	powershell.exe
496	powershell.exe
4648	8bc16349fad1dd201cf7929eb7ae7fce.exe
4648	8bc16349fad1dd201cf7929eb7ae7fce.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

powershell.exepowershell.exepowershell.exe8bc16349fad1dd201cf7929eb7ae7fce.exe8bc16349fad1dd201cf7929eb7ae7fce.exe

description	pid	process
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeDebugPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: 33	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe
Token: SeIncBasePriorityPrivilege	1276	8bc16349fad1dd201cf7929eb7ae7fce.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8bc16349fad1dd201cf7929eb7ae7fce.exe

description	pid	process	target process
PID 4648 wrote to memory of 496	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 496	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 496	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 4228	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 4228	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 4228	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 4272	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 4272	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 4272	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	powershell.exe
PID 4648 wrote to memory of 1204	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1204	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1204	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1204	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1204	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe
PID 4648 wrote to memory of 1276	4648	8bc16349fad1dd201cf7929eb7ae7fce.exe	8bc16349fad1dd201cf7929eb7ae7fce.exe

C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe
"C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\鄊鄶酂鄄鄟鄅鄵鄉鄷鄌酀鄅酊鄻鄊\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\鄊鄶酂鄄鄟鄅鄵鄉鄷鄌酀鄅酊鄻鄊\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe
C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe
C:\Users\Admin\AppData\Local\Temp\8bc16349fad1dd201cf7929eb7ae7fce.exe
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9fdd675ed7b89464cee1f5eb755f0e64

SHA1
92b74c7a83d1a003a416b2d89bd6f7bb900bd4e1

SHA256
6e48ea2f962ef6e24c2d926bcf7102ec1483a8bb979d508bf68ccb431d70b169

SHA512
ecc797f211f80e03f312340cd655caa55cd145b5996a0dc3a50e11fa49908c17843fff1471feb37f41d6ff08eebb6a553400ca196a2a9b9af3d4ddb52ff8dfd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
16f52e9798e7af1aa0e0911b374410e8

SHA1
a1c6becff281c60dbb7306f33bbbc98cdfbe8bd8

SHA256
66911a77b7c88a18b54927796ef9acd319b37637bedc54761264db99412d978e

SHA512
ec899d67b0c7d51a93e0825ebc058ee78fc545834e009795fcb0119930931335a924a8cf94ea18f9d2bf037f623b8a49fd1e60329e0dfcd1fef12638822820c3

Download Submit
memory/496-119-0x0000000000000000-mapping.dmp

Download
memory/496-128-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/496-135-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/496-248-0x0000000006EB3000-0x0000000006EB4000-memory.dmp

Filesize
4KB

Download
memory/496-222-0x000000007E8E0000-0x000000007E8E1000-memory.dmp

Filesize
4KB

Download
memory/496-191-0x0000000009170000-0x00000000091A3000-memory.dmp

Filesize
204KB

Download
memory/496-140-0x0000000006EB2000-0x0000000006EB3000-memory.dmp

Filesize
4KB

Download
memory/496-164-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/1276-155-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1276-424-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/1276-156-0x000000000040838E-mapping.dmp

Download
memory/4228-218-0x000000007EC50000-0x000000007EC51000-memory.dmp

Filesize
4KB

Download
memory/4228-132-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/4228-146-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/4228-252-0x0000000006743000-0x0000000006744000-memory.dmp

Filesize
4KB

Download
memory/4228-152-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/4228-136-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/4228-138-0x0000000006742000-0x0000000006743000-memory.dmp

Filesize
4KB

Download
memory/4228-161-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/4228-120-0x0000000000000000-mapping.dmp

Download
memory/4272-167-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/4272-139-0x0000000006EB2000-0x0000000006EB3000-memory.dmp

Filesize
4KB

Download
memory/4272-212-0x0000000009220000-0x0000000009221000-memory.dmp

Filesize
4KB

Download
memory/4272-215-0x000000007E9B0000-0x000000007E9B1000-memory.dmp

Filesize
4KB

Download
memory/4272-121-0x0000000000000000-mapping.dmp

Download
memory/4272-137-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/4272-142-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/4272-149-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/4272-255-0x0000000006EB3000-0x0000000006EB4000-memory.dmp

Filesize
4KB

Download
memory/4648-114-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4648-131-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/4648-145-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4648-141-0x0000000004DA0000-0x000000000529E000-memory.dmp

Filesize
5.0MB

Download
memory/4648-118-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/4648-117-0x0000000004BA0000-0x0000000004BFF000-memory.dmp

Filesize
380KB

Download
memory/4648-116-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads