njrat | 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407

General

Target

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe
Size

343KB
MD5

a4ef9b97bb27e933d21acf408213660e
SHA1

468f1788f892ee364922d4ad89b4015f1cf36a5b
SHA256

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407
SHA512

db842526085b08d44e2325117defdc37624d9ecfa99f56a38a7ff87af795d8d934d63b46d25d432ae82f5d32fb50cc27be87b5e38a739db06a437bc81b070643

Score

10^/10

njrat sazanxd trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SAZANXD

C2

20.94.209.182:8080

Mutex

5674c09c7f0c4298faa91f68465c425a

Attributes

reg_key
5674c09c7f0c4298faa91f68465c425a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe

description	pid	process	target process
PID 1080 set thread context of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1372 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe

description pid process

Token: SeDebugPrivilege 1080 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe

pid	process
1372	dw20.exe

description	pid	process
Token: SeDebugPrivilege	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exevbc.exe

description	pid	process	target process
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1080 wrote to memory of 1744	1080	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 1744 wrote to memory of 1372	1744	vbc.exe	dw20.exe
PID 1744 wrote to memory of 1372	1744	vbc.exe	dw20.exe
PID 1744 wrote to memory of 1372	1744	vbc.exe	dw20.exe
PID 1744 wrote to memory of 1372	1744	vbc.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe
"C:\Users\Admin\AppData\Local\Temp\7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 412
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-53-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/1080-54-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1372-61-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1744-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1744-56-0x000000000040748E-mapping.dmp

Download
memory/1744-58-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing