njrat | 08b2e926b95dd3a599af3a697c3d9b1512586a2587ad08d56b0ee4256fd33db1

General

Target

08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe
Size

23KB
MD5

755bd609b015768d247077ccbf2a407a
SHA1

3484d468c4bda04f6c370118d03ab3ee5d1c43d0
SHA256

08b2e926b95dd3a599af3a697c3d9b1512586a2587ad08d56b0ee4256fd33db1
SHA512

cbe706d7daf9167112257761085bc5fab214dae27a6637c1b9dcbdd6d539e7893a049c4c7a1c457cd668e14dc03b0352c4311918d8cf19cf4973da4ccdddc3c2

Score

10^/10

njrat hacked evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

win08.zapto.org:84

Mutex

79627ac12211c58cdd3a218a06264901

Attributes

reg_key
79627ac12211c58cdd3a218a06264901
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

contrasena.exe

pid process

3960 contrasena.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3960	contrasena.exe

Drops startup file 2 IoCs

Processes:

contrasena.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79627ac12211c58cdd3a218a06264901.exe	contrasena.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79627ac12211c58cdd3a218a06264901.exe	contrasena.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

contrasena.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\79627ac12211c58cdd3a218a06264901 = "\"C:\\Users\\Admin\\AppData\\Roaming\\contrasena.exe\" .."	contrasena.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\79627ac12211c58cdd3a218a06264901 = "\"C:\\Users\\Admin\\AppData\\Roaming\\contrasena.exe\" .."	contrasena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

contrasena.exe

description	pid	process
Token: SeDebugPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe
Token: 33	3960	contrasena.exe
Token: SeIncBasePriorityPrivilege	3960	contrasena.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.execontrasena.exe

description	pid	process	target process
PID 4000 wrote to memory of 3960	4000	08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe	contrasena.exe
PID 4000 wrote to memory of 3960	4000	08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe	contrasena.exe
PID 4000 wrote to memory of 3960	4000	08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe	contrasena.exe
PID 3960 wrote to memory of 3924	3960	contrasena.exe	netsh.exe
PID 3960 wrote to memory of 3924	3960	contrasena.exe	netsh.exe
PID 3960 wrote to memory of 3924	3960	contrasena.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe
"C:\Users\Admin\AppData\Local\Temp\08B2E926B95DD3A599AF3A697C3D9B1512586A2587AD0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Roaming\contrasena.exe
"C:\Users\Admin\AppData\Roaming\contrasena.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\contrasena.exe" "contrasena.exe" ENABLE
3⤵
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\contrasena.exe
MD5
755bd609b015768d247077ccbf2a407a

SHA1
3484d468c4bda04f6c370118d03ab3ee5d1c43d0

SHA256
08b2e926b95dd3a599af3a697c3d9b1512586a2587ad08d56b0ee4256fd33db1

SHA512
cbe706d7daf9167112257761085bc5fab214dae27a6637c1b9dcbdd6d539e7893a049c4c7a1c457cd668e14dc03b0352c4311918d8cf19cf4973da4ccdddc3c2

Download Submit
C:\Users\Admin\AppData\Roaming\contrasena.exe
MD5
755bd609b015768d247077ccbf2a407a

SHA1
3484d468c4bda04f6c370118d03ab3ee5d1c43d0

SHA256
08b2e926b95dd3a599af3a697c3d9b1512586a2587ad08d56b0ee4256fd33db1

SHA512
cbe706d7daf9167112257761085bc5fab214dae27a6637c1b9dcbdd6d539e7893a049c4c7a1c457cd668e14dc03b0352c4311918d8cf19cf4973da4ccdddc3c2

Download Submit
memory/3924-120-0x0000000000000000-mapping.dmp

Download
memory/3960-116-0x0000000000000000-mapping.dmp

Download
memory/3960-119-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/4000-115-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads