njrat | 9f6fdc5e19242853318ccf433ca5288f4869fc045fde761b931a8bc8b8ac70d7

General

Target

9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe
Size

167KB
MD5

0bcb7b5e42fc664c49a25df679fd3e62
SHA1

c1287a05d381069a06bcf716657ce1a38d9fd95e
SHA256

9f6fdc5e19242853318ccf433ca5288f4869fc045fde761b931a8bc8b8ac70d7
SHA512

d7929e9faa699e305f1b9502d8c6bd69cf3a66729517d9c511c621479a22bde06ec3bfca542cd3dee5548c8ebf0e3454d3cab29828c6117847e9c9536cf924be

Score

10^/10

njrat trojan

Malware Config

Extracted

Family

njrat

C2

62.33.159.162:5674

Mutex

26c50014115b430

Attributes

reg_key
26c50014115b430
splitter
@!#&^%$

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3304 created 632 3304 WerFault.exe 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe

description pid process target process

PID 632 set thread context of 2788 632 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3304 632 WerFault.exe 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe

description	pid	process	target process
PID 3304 created 632	3304	WerFault.exe	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe

description	pid	process	target process
PID 632 set thread context of 2788	632	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe	RegSvcs.exe

pid	pid_target	process	target process
3304	632	WerFault.exe	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe
3304	WerFault.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

WerFault.exeRegSvcs.exe

description	pid	process
Token: SeRestorePrivilege	3304	WerFault.exe
Token: SeBackupPrivilege	3304	WerFault.exe
Token: SeDebugPrivilege	3304	WerFault.exe
Token: SeDebugPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe
Token: 33	2788	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2788	RegSvcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe

description	pid	process	target process
PID 632 wrote to memory of 2788	632	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe	RegSvcs.exe
PID 632 wrote to memory of 2788	632	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe	RegSvcs.exe
PID 632 wrote to memory of 2788	632	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe	RegSvcs.exe
PID 632 wrote to memory of 2788	632	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe	RegSvcs.exe
PID 632 wrote to memory of 2788	632	9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe
"C:\Users\Admin\AppData\Local\Temp\9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 268
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2788-114-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/2788-119-0x0000000000146A6E-mapping.dmp

Download
memory/2788-120-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2788-122-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/2788-123-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2788-124-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2788-125-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2788-126-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads