njrat | c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553

General

Target

c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
Size

1.5MB
MD5

05def69117bc5228432feac2bed343d2
SHA1

7dadf53ee11702034176939a5d73891bf3cf5f61
SHA256

c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
SHA512

1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

540 explorer.exe
Loads dropped DLL 1 IoCs

Processes:

c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe

pid process

1840 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
540	explorer.exe

pid	process
1840	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe

description	pid	process	target process
PID 1840 wrote to memory of 540	1840	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe	explorer.exe
PID 1840 wrote to memory of 540	1840	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe	explorer.exe
PID 1840 wrote to memory of 540	1840	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe	explorer.exe
PID 1840 wrote to memory of 540	1840	c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
"C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Roaming\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer.exe"
2⤵
- Executes dropped EXE
PID:540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
05def69117bc5228432feac2bed343d2

SHA1
7dadf53ee11702034176939a5d73891bf3cf5f61

SHA256
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553

SHA512
1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
MD5
05def69117bc5228432feac2bed343d2

SHA1
7dadf53ee11702034176939a5d73891bf3cf5f61

SHA256
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553

SHA512
1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
MD5
05def69117bc5228432feac2bed343d2

SHA1
7dadf53ee11702034176939a5d73891bf3cf5f61

SHA256
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553

SHA512
1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45

Download Submit
memory/540-66-0x0000000000000000-mapping.dmp

Download
memory/540-69-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1840-60-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1840-62-0x00000000003E0000-0x0000000000416000-memory.dmp

Filesize
216KB

Download
memory/1840-63-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1840-65-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing