njrat | 4159e161e24f40bd4964eb53aaea050b685a4aa2b3bac12631180a6a9a403ad7

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-en-20210920
submitted
04-10-2021 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
Size

455KB
MD5

aba309cde7801d52d82898085394fd7a
SHA1

5ca6bbeaff94b94ad7e8c54029d3096bcd4e914e
SHA256

4159e161e24f40bd4964eb53aaea050b685a4aa2b3bac12631180a6a9a403ad7
SHA512

567141b32102ec37954437c99bd633bdc4bcd073a1d91146fc9a81b74365bb9d69917ec076c6549843aac23d56641900e09fce76e0236a024e2ae856cf34e6b5

Score

10^/10

njrat 14.04.2017 evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

14.04.2017

ytka.duckdns.org:1604

Mutex

ed423977d6a5549373be05c39703ea7d

Attributes

reg_key
ed423977d6a5549373be05c39703ea7d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 4 IoCs

Processes:

BitsProg.exedoclan.execonhost.execonhost.exe

pid process

1680 BitsProg.exe
812 doclan.exe
1900 conhost.exe
1200 conhost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

doclan.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe
Loads dropped DLL 3 IoCs

Processes:

doclan.exe

pid process

812 doclan.exe
812 doclan.exe
812 doclan.exe

pid	process
1680	BitsProg.exe
812	doclan.exe
1900	conhost.exe
1200	conhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk	doclan.exe

pid	process
812	doclan.exe
812	doclan.exe
812	doclan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\doclan.exe	nsis_installer_1
C:\ProgramData\doclan.exe	nsis_installer_2
C:\ProgramData\doclan.exe	nsis_installer_1
C:\ProgramData\doclan.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1156 taskkill.exe

pid	process
1156	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe
1200	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

conhost.exe

pid process

1200 conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

taskkill.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe
Token: 33	1200	conhost.exe
Token: SeIncBasePriorityPrivilege	1200	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exedoclan.execonhost.execonhost.exe

description	pid	process	target process
PID 1128 wrote to memory of 1680	1128	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	BitsProg.exe
PID 1128 wrote to memory of 1680	1128	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	BitsProg.exe
PID 1128 wrote to memory of 1680	1128	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	BitsProg.exe
PID 1128 wrote to memory of 812	1128	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	doclan.exe
PID 1128 wrote to memory of 812	1128	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	doclan.exe
PID 1128 wrote to memory of 812	1128	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	doclan.exe
PID 1128 wrote to memory of 812	1128	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	doclan.exe
PID 812 wrote to memory of 1900	812	doclan.exe	conhost.exe
PID 812 wrote to memory of 1900	812	doclan.exe	conhost.exe
PID 812 wrote to memory of 1900	812	doclan.exe	conhost.exe
PID 812 wrote to memory of 1900	812	doclan.exe	conhost.exe
PID 1900 wrote to memory of 1200	1900	conhost.exe	conhost.exe
PID 1900 wrote to memory of 1200	1900	conhost.exe	conhost.exe
PID 1900 wrote to memory of 1200	1900	conhost.exe	conhost.exe
PID 1200 wrote to memory of 1616	1200	conhost.exe	netsh.exe
PID 1200 wrote to memory of 1616	1200	conhost.exe	netsh.exe
PID 1200 wrote to memory of 1616	1200	conhost.exe	netsh.exe
PID 1200 wrote to memory of 1156	1200	conhost.exe	taskkill.exe
PID 1200 wrote to memory of 1156	1200	conhost.exe	taskkill.exe
PID 1200 wrote to memory of 1156	1200	conhost.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
"C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\ProgramData\BitsProg.exe
"C:\ProgramData\BitsProg.exe"
2⤵
- Executes dropped EXE
PID:1680

C:\ProgramData\doclan.exe
"C:\ProgramData\doclan.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE
5⤵
PID:1616

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BitsProg.exe
MD5
4aba833aab8032707642515bebc59d1b

SHA1
d5079efd8335aa23162f0165abf426d21a105607

SHA256
822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad

SHA512
25c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14

Download Submit
C:\ProgramData\BitsProg.exe
MD5
4aba833aab8032707642515bebc59d1b

SHA1
d5079efd8335aa23162f0165abf426d21a105607

SHA256
822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad

SHA512
25c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14

Download Submit
C:\ProgramData\doclan.exe
MD5
b9388102124c0d070b2ae86908938b41

SHA1
bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6

SHA256
f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779

SHA512
f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438

Download Submit
C:\ProgramData\doclan.exe
MD5
b9388102124c0d070b2ae86908938b41

SHA1
bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6

SHA256
f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779

SHA512
f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
memory/812-62-0x0000000074B41000-0x0000000074B43000-memory.dmp

Filesize
8KB

Download
memory/812-60-0x0000000000000000-mapping.dmp

Download
memory/1128-53-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1156-88-0x0000000000000000-mapping.dmp

Download
memory/1200-78-0x0000000000000000-mapping.dmp

Download
memory/1200-85-0x000000001B0A5000-0x000000001B0A6000-memory.dmp

Filesize
4KB

Download
memory/1200-84-0x000000001B086000-0x000000001B0A5000-memory.dmp

Filesize
124KB

Download
memory/1200-83-0x000000001B080000-0x000000001B082000-memory.dmp

Filesize
8KB

Download
memory/1200-81-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1616-89-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/1616-87-0x0000000000000000-mapping.dmp

Download
memory/1680-55-0x0000000000000000-mapping.dmp

Download
memory/1680-69-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/1680-58-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/1680-74-0x0000000000606000-0x0000000000625000-memory.dmp

Filesize
124KB

Download
memory/1900-77-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1900-76-0x000000001AE05000-0x000000001AE06000-memory.dmp

Filesize
4KB

Download
memory/1900-75-0x000000001ADE6000-0x000000001AE05000-memory.dmp

Filesize
124KB

Download
memory/1900-73-0x000000001ADE0000-0x000000001ADE2000-memory.dmp

Filesize
8KB

Download
memory/1900-66-0x0000000000000000-mapping.dmp

Download
memory/1900-70-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download