njrat | 6c83a463a188ae19a43d8fc3dec7d77b848198602e076c3baba00cba3e7cf40b

General

Target

c7d5ea3b83db855d97ce4df784f5c7556bae16f3297ae9399f5a14d686a1dbc7.ps1
Size

2.2MB
MD5

438f192c7282265b78ea831b779a5635
SHA1

0197c04c82a4ab39ec6a914be4b533eacfc6c3b4
SHA256

c7d5ea3b83db855d97ce4df784f5c7556bae16f3297ae9399f5a14d686a1dbc7
SHA512

7009dd62daf3c710766323fbe06bc779e2ca09d741bd84980a8b31ff30c7fdd9d05d9280730df633618c4e79c9ad44c57b81ade62283e91da669061afdebb6d5

Score

10^/10

njrat boss trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Boss

C2

103.147.184.73:7103

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Drops startup file 1 IoCs

Processes:

aspnet_regbrowsers.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk aspnet_regbrowsers.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4016 set thread context of 2004 4016 powershell.exe aspnet_regbrowsers.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4016 powershell.exe
4016 powershell.exe
4016 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_regbrowsers.exe

description	pid	process	target process
PID 4016 set thread context of 2004	4016	powershell.exe	aspnet_regbrowsers.exe

pid	process
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exeaspnet_regbrowsers.exe

description	pid	process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	2004	aspnet_regbrowsers.exe
Token: 33	2004	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	2004	aspnet_regbrowsers.exe
Token: 33	2004	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	2004	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe
PID 4016 wrote to memory of 2004	4016	powershell.exe	aspnet_regbrowsers.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c7d5ea3b83db855d97ce4df784f5c7556bae16f3297ae9399f5a14d686a1dbc7.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-136-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-147-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/2004-146-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2004-145-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2004-144-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/2004-143-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2004-137-0x000000000040836E-mapping.dmp

Download
memory/4016-124-0x0000027794633000-0x0000027794635000-memory.dmp

Filesize
8KB

Download
memory/4016-135-0x0000027794540000-0x0000027794541000-memory.dmp

Filesize
4KB

Download
memory/4016-134-0x0000027794636000-0x0000027794638000-memory.dmp

Filesize
8KB

Download
memory/4016-129-0x0000027794510000-0x000002779453A000-memory.dmp

Filesize
168KB

Download
memory/4016-119-0x0000027794640000-0x0000027794641000-memory.dmp

Filesize
4KB

Download
memory/4016-123-0x0000027794630000-0x0000027794632000-memory.dmp

Filesize
8KB

Download
memory/4016-122-0x00000277ACDC0000-0x00000277ACDC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing