njrat | 59b45ef1da7d5dd6d2cb29796794fae90f67f13566dd15864fe4a65e42b9d7b7

General

Target

59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe
Size

884KB
MD5

c865447ddf5a946a5663c824ec3a8f28
SHA1

dd713980b874a10f6eb1c8e4cf6343e2d28afa8f
SHA256

59b45ef1da7d5dd6d2cb29796794fae90f67f13566dd15864fe4a65e42b9d7b7
SHA512

5238aef22f795be8c1ab5afbae5e5f9f5a3e07880dada27ce353438c147fab09a4f1b51529b391d3dbdffa177120a90af97a1431b7b9b2dc4007a2edfcccc6fb

Score

10^/10

njrat skype persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

SKYPE

C2

browserskype.duckdns.org:2024

Mutex

CNAODt.exe

Attributes

reg_key
CNAODt.exe
splitter
zaq1

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\402-8087854951-12-5-1-S\ = "C:\\402-8087854951-12-5-1-S\\S-1-5-21-1594587808-204.exe"	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe
Key created	\Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe

description pid process target process

PID 632 set thread context of 2044 632 59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe regasm.exe

description	pid	process	target process
PID 632 set thread context of 2044	632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe	regasm.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exeregasm.exe

pid	process
632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe
632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe
2044	regasm.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

regasm.exe

description	pid	process
Token: SeDebugPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe
Token: 33	2044	regasm.exe
Token: SeIncBasePriorityPrivilege	2044	regasm.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe

description	pid	process	target process
PID 632 wrote to memory of 2044	632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe	regasm.exe
PID 632 wrote to memory of 2044	632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe	regasm.exe
PID 632 wrote to memory of 2044	632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe	regasm.exe
PID 632 wrote to memory of 2044	632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe	regasm.exe
PID 632 wrote to memory of 2044	632	59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe
"C:\Users\Admin\AppData\Local\Temp\59B45EF1DA7D5DD6D2CB29796794FAE90F67F13566DD1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-114-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/632-115-0x0000000002510000-0x0000000002605000-memory.dmp

Filesize
980KB

Download
memory/632-116-0x0000000002C40000-0x0000000002D35000-memory.dmp

Filesize
980KB

Download
memory/2044-117-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2044-118-0x000000000040EB5E-mapping.dmp

Download
memory/2044-119-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads