njrat | 4159e161e24f40bd4964eb53aaea050b685a4aa2b3bac12631180a6a9a403ad7

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
04-10-2021 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
Size

455KB
MD5

aba309cde7801d52d82898085394fd7a
SHA1

5ca6bbeaff94b94ad7e8c54029d3096bcd4e914e
SHA256

4159e161e24f40bd4964eb53aaea050b685a4aa2b3bac12631180a6a9a403ad7
SHA512

567141b32102ec37954437c99bd633bdc4bcd073a1d91146fc9a81b74365bb9d69917ec076c6549843aac23d56641900e09fce76e0236a024e2ae856cf34e6b5

Score

10^/10

njrat 14.04.2017 evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

14.04.2017

ytka.duckdns.org:1604

Mutex

ed423977d6a5549373be05c39703ea7d

Attributes

reg_key
ed423977d6a5549373be05c39703ea7d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 4 IoCs

Processes:

BitsProg.exedoclan.execonhost.execonhost.exe

pid process

1032 BitsProg.exe
1164 doclan.exe
1528 conhost.exe
1304 conhost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

doclan.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe

pid	process
1032	BitsProg.exe
1164	doclan.exe
1528	conhost.exe
1304	conhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk	doclan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\doclan.exe	nsis_installer_1
C:\ProgramData\doclan.exe	nsis_installer_2
C:\ProgramData\doclan.exe	nsis_installer_1
C:\ProgramData\doclan.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2056 taskkill.exe

pid	process
2056	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

conhost.exe

pid process

1304 conhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

taskkill.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe
Token: 33	1304	conhost.exe
Token: SeIncBasePriorityPrivilege	1304	conhost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exedoclan.execonhost.execonhost.exe

description	pid	process	target process
PID 900 wrote to memory of 1032	900	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	BitsProg.exe
PID 900 wrote to memory of 1032	900	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	BitsProg.exe
PID 900 wrote to memory of 1164	900	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	doclan.exe
PID 900 wrote to memory of 1164	900	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	doclan.exe
PID 900 wrote to memory of 1164	900	4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe	doclan.exe
PID 1164 wrote to memory of 1528	1164	doclan.exe	conhost.exe
PID 1164 wrote to memory of 1528	1164	doclan.exe	conhost.exe
PID 1528 wrote to memory of 1304	1528	conhost.exe	conhost.exe
PID 1528 wrote to memory of 1304	1528	conhost.exe	conhost.exe
PID 1304 wrote to memory of 1344	1304	conhost.exe	netsh.exe
PID 1304 wrote to memory of 1344	1304	conhost.exe	netsh.exe
PID 1304 wrote to memory of 2056	1304	conhost.exe	taskkill.exe
PID 1304 wrote to memory of 2056	1304	conhost.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe
"C:\Users\Admin\AppData\Local\Temp\4159E161E24F40BD4964EB53AAEA050B685A4AA2B3BAC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\ProgramData\BitsProg.exe
"C:\ProgramData\BitsProg.exe"
2⤵
- Executes dropped EXE
PID:1032

C:\ProgramData\doclan.exe
"C:\ProgramData\doclan.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE
5⤵
PID:1344

C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BitsProg.exe
MD5
4aba833aab8032707642515bebc59d1b

SHA1
d5079efd8335aa23162f0165abf426d21a105607

SHA256
822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad

SHA512
25c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14

Download Submit
C:\ProgramData\BitsProg.exe
MD5
4aba833aab8032707642515bebc59d1b

SHA1
d5079efd8335aa23162f0165abf426d21a105607

SHA256
822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad

SHA512
25c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14

Download Submit
C:\ProgramData\doclan.exe
MD5
b9388102124c0d070b2ae86908938b41

SHA1
bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6

SHA256
f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779

SHA512
f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438

Download Submit
C:\ProgramData\doclan.exe
MD5
b9388102124c0d070b2ae86908938b41

SHA1
bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6

SHA256
f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779

SHA512
f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
4252bfc7065ad227b5ee7458e3670d2e

SHA1
7153bdb8152a29d1d3f5911df07bf8725d380d30

SHA256
e5456fe707c888b0183c697a07511d7d9fb068a028f37653b2c5cc032ec81a1b

SHA512
1fe2ddfc524962beb0b1ff320ea458fe71c172fc1e63cad8416cfe123177d8c4aa437f8415d8f7d26ab572ce327be66c99a055d0c15514e3d0c1d33d9a823abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
memory/900-114-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1032-116-0x0000000000000000-mapping.dmp

Download
memory/1032-119-0x000002B12AF50000-0x000002B12AF51000-memory.dmp

Filesize
4KB

Download
memory/1032-132-0x000002B145564000-0x000002B145566000-memory.dmp

Filesize
8KB

Download
memory/1032-123-0x000002B145560000-0x000002B145562000-memory.dmp

Filesize
8KB

Download
memory/1032-130-0x000002B145562000-0x000002B145564000-memory.dmp

Filesize
8KB

Download
memory/1164-121-0x0000000000000000-mapping.dmp

Download
memory/1304-148-0x000000001B5E4000-0x000000001B5E6000-memory.dmp

Filesize
8KB

Download
memory/1304-146-0x000000001B5E0000-0x000000001B5E2000-memory.dmp

Filesize
8KB

Download
memory/1304-147-0x000000001B5E2000-0x000000001B5E4000-memory.dmp

Filesize
8KB

Download
memory/1304-139-0x0000000000000000-mapping.dmp

Download
memory/1344-152-0x0000000000000000-mapping.dmp

Download
memory/1528-131-0x000000001B450000-0x000000001B452000-memory.dmp

Filesize
8KB

Download
memory/1528-138-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1528-137-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/1528-136-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/1528-134-0x000000001B452000-0x000000001B454000-memory.dmp

Filesize
8KB

Download
memory/1528-135-0x000000001B454000-0x000000001B456000-memory.dmp

Filesize
8KB

Download
memory/1528-133-0x000000001E3E0000-0x000000001E3E1000-memory.dmp

Filesize
4KB

Download
memory/1528-128-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1528-125-0x0000000000000000-mapping.dmp

Download
memory/2056-153-0x0000000000000000-mapping.dmp

Download