njrat | 7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df

General

Target

7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe
Size

263KB
MD5

6735b414617870f41ae37db487fb5965
SHA1

a07e827422730b676fd53e79b0522bf2cd010413
SHA256

7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df
SHA512

9e7eb3742c6b5f84130ae83959b253bdb635744d5bedb7b9a13e99bdca3fbbc0356ab55cc705aeb428e491c84c2a1152817c26bbe286632ab1eff0eb922a98df

Score

10^/10

njrat lammer evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

moskitu.ddns.net:1177

Mutex

9df50acbc9093297ff153d6c3b05e212

Attributes

reg_key
9df50acbc9093297ff153d6c3b05e212
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Encryptado.exeTrojan.exe

pid process

944 Encryptado.exe
676 Trojan.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 2 IoCs

Processes:

7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exeEncryptado.exe

pid process

812 7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe
944 Encryptado.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
944	Encryptado.exe
676	Trojan.exe

pid	process
812	7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe
944	Encryptado.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

Trojan.exe

description	pid	process
Token: SeDebugPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe
Token: 33	676	Trojan.exe
Token: SeIncBasePriorityPrivilege	676	Trojan.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exeEncryptado.exeTrojan.exe

description	pid	process	target process
PID 812 wrote to memory of 944	812	7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe	Encryptado.exe
PID 812 wrote to memory of 944	812	7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe	Encryptado.exe
PID 812 wrote to memory of 944	812	7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe	Encryptado.exe
PID 812 wrote to memory of 944	812	7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe	Encryptado.exe
PID 944 wrote to memory of 676	944	Encryptado.exe	Trojan.exe
PID 944 wrote to memory of 676	944	Encryptado.exe	Trojan.exe
PID 944 wrote to memory of 676	944	Encryptado.exe	Trojan.exe
PID 944 wrote to memory of 676	944	Encryptado.exe	Trojan.exe
PID 676 wrote to memory of 1084	676	Trojan.exe	netsh.exe
PID 676 wrote to memory of 1084	676	Trojan.exe	netsh.exe
PID 676 wrote to memory of 1084	676	Trojan.exe	netsh.exe
PID 676 wrote to memory of 1084	676	Trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe
"C:\Users\Admin\AppData\Local\Temp\7fb61de981925194d3f5a64495984e38556e43f26d58277d3bdbeea8d48382df.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\Encryptado.exe
"C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
4⤵
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Encryptado.exe
MD5
6bcb1baa7f140265765dad544ffdc8aa

SHA1
240c108b01bcd4967995595c117512a1d743b1f0

SHA256
0537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4

SHA512
39a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encryptado.exe
MD5
6bcb1baa7f140265765dad544ffdc8aa

SHA1
240c108b01bcd4967995595c117512a1d743b1f0

SHA256
0537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4

SHA512
39a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
MD5
6bcb1baa7f140265765dad544ffdc8aa

SHA1
240c108b01bcd4967995595c117512a1d743b1f0

SHA256
0537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4

SHA512
39a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
MD5
6bcb1baa7f140265765dad544ffdc8aa

SHA1
240c108b01bcd4967995595c117512a1d743b1f0

SHA256
0537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4

SHA512
39a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918

Download Submit
\Users\Admin\AppData\Local\Temp\Encryptado.exe
MD5
6bcb1baa7f140265765dad544ffdc8aa

SHA1
240c108b01bcd4967995595c117512a1d743b1f0

SHA256
0537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4

SHA512
39a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe
MD5
6bcb1baa7f140265765dad544ffdc8aa

SHA1
240c108b01bcd4967995595c117512a1d743b1f0

SHA256
0537aee0746e17190e9da82efb25a6562ded2665b6bbf38c71b6bf00ce9eb3a4

SHA512
39a84848bc64827ec7308879db6df7988e33ab0e8ff1a6e74f07ca6dcbec2af8fd84e23b63d8ec01b69f963b007b86404fd5f861ef6e852d4311fa570fc47918

Download Submit
memory/676-67-0x0000000000000000-mapping.dmp

Download
memory/676-71-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/812-59-0x0000000004B66000-0x0000000004B67000-memory.dmp

Filesize
4KB

Download
memory/812-58-0x0000000004B55000-0x0000000004B66000-memory.dmp

Filesize
68KB

Download
memory/812-54-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/812-57-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/812-56-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/944-61-0x0000000000000000-mapping.dmp

Download
memory/944-64-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/944-65-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1084-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing