njrat | 7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b

General

Target

7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
Size

794KB
MD5

4ca8b569fa3d95c9c619135ca8c8f7b3
SHA1

0f3cf76fb9382928c6c8ab19408154fdc6386926
SHA256

7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b
SHA512

371c5356bb0cc382505f492ec3dc90340005fe8591c668cc07c25439693e350177588088d753695d0d5258d91a0f8181f390ebcf00983947fe482328f9f64298

Score

10^/10

njrat @ hacking by dr west @evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

@ HaCkInG By Dr WeSt @

Mutex

de3533c5cf00b5a9a0d499054fac5999

Attributes

reg_key
de3533c5cf00b5a9a0d499054fac5999
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

0.exe

pid process

3720 0.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3720	0.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

0.exe

description	pid	process
Token: SeDebugPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe
Token: 33	3720	0.exe
Token: SeIncBasePriorityPrivilege	3720	0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe0.exe

description	pid	process	target process
PID 3612 wrote to memory of 3720	3612	7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe	0.exe
PID 3612 wrote to memory of 3720	3612	7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe	0.exe
PID 3612 wrote to memory of 3720	3612	7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe	0.exe
PID 3720 wrote to memory of 4328	3720	0.exe	netsh.exe
PID 3720 wrote to memory of 4328	3720	0.exe	netsh.exe
PID 3720 wrote to memory of 4328	3720	0.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe
"C:\Users\Admin\AppData\Local\Temp\7fac1840ad4e66c62cfc1f90ddf1951e6422457555c57048ac987e080a13e14b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Roaming\0.exe
"C:\Users\Admin\AppData\Roaming\0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\0.exe" "0.exe" ENABLE
3⤵
PID:4328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0.exe
MD5
6d74e33782b69655bae3843e16cfdb4d

SHA1
beb96a6b67c476874bb3ad8ccaf192da15d9d126

SHA256
6381c8097fb106187e446982485f79d5361edcd65e740fb151c38531d6a615f0

SHA512
aa2cdb3e8629009f776412598a0eecbe7e80a616fe4228b8bc9f28a2f5fef50750dbb530594caf40ec54390bfe67b25cf9ab0074f8f0c40f018d3d2cb137a196

Download Submit
C:\Users\Admin\AppData\Roaming\0.exe
MD5
6d74e33782b69655bae3843e16cfdb4d

SHA1
beb96a6b67c476874bb3ad8ccaf192da15d9d126

SHA256
6381c8097fb106187e446982485f79d5361edcd65e740fb151c38531d6a615f0

SHA512
aa2cdb3e8629009f776412598a0eecbe7e80a616fe4228b8bc9f28a2f5fef50750dbb530594caf40ec54390bfe67b25cf9ab0074f8f0c40f018d3d2cb137a196

Download Submit
memory/3612-115-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3720-117-0x0000000000000000-mapping.dmp

Download
memory/3720-120-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4328-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing