njrat | 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407

General

Target

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe
Size

343KB
MD5

a4ef9b97bb27e933d21acf408213660e
SHA1

468f1788f892ee364922d4ad89b4015f1cf36a5b
SHA256

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407
SHA512

db842526085b08d44e2325117defdc37624d9ecfa99f56a38a7ff87af795d8d934d63b46d25d432ae82f5d32fb50cc27be87b5e38a739db06a437bc81b070643

Score

10^/10

njrat sazanxd trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SAZANXD

C2

20.94.209.182:8080

Mutex

5674c09c7f0c4298faa91f68465c425a

Attributes

reg_key
5674c09c7f0c4298faa91f68465c425a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe

description pid process target process

PID 580 set thread context of 2880 580 7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

3756 dw20.exe
3756 dw20.exe

description	pid	process	target process
PID 580 set thread context of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe

pid	process
3756	dw20.exe
3756	dw20.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe
Token: SeRestorePrivilege	3756	dw20.exe
Token: SeBackupPrivilege	3756	dw20.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exevbc.exe

description	pid	process	target process
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 580 wrote to memory of 2880	580	7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe	vbc.exe
PID 2880 wrote to memory of 3756	2880	vbc.exe	dw20.exe
PID 2880 wrote to memory of 3756	2880	vbc.exe	dw20.exe
PID 2880 wrote to memory of 3756	2880	vbc.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe
"C:\Users\Admin\AppData\Local\Temp\7c84531c6299e423eacc06007a52e9a0ce6b334f3e18fc53cf6d1aca1f6b1407.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 688
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-114-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2880-115-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2880-116-0x000000000040748E-mapping.dmp

Download
memory/2880-118-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/3756-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing