njrat | 8b54ac281ea90d359b212b1ce7ffd0b4ac5cab9ee2f93bd9ca393b992556e80a

General

Target

8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
Size

395KB
MD5

72a2512b36128f94127a7206df3a5032
SHA1

6a3873d420dad9f5f20ce7f8493efc3c2cfe5a18
SHA256

8b54ac281ea90d359b212b1ce7ffd0b4ac5cab9ee2f93bd9ca393b992556e80a
SHA512

2122b37537c94960ba2154e8c15acd2b3983cf53314e8368b02ee87956e8d98287163f64917a844be30dae8a7c0936604b4ec94df0fc81192d270865ac640166

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

6.tcp.ngrok.io:16860

Mutex

142514b06c5331e576c2b748ba1ec681

Attributes

reg_key
142514b06c5331e576c2b748ba1ec681
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

server.EXECSGhost-V4.EXEtemp_wrapped_31366.exe

pid process

296 server.EXE
2272 CSGhost-V4.EXE
3232 temp_wrapped_31366.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
296	server.EXE
2272	CSGhost-V4.EXE
3232	temp_wrapped_31366.exe

Drops startup file 2 IoCs

Processes:

server.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe	server.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe	server.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .."	server.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .."	server.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

temp_wrapped_31366.exe

pid	process
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe
3232	temp_wrapped_31366.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

server.EXE

description	pid	process
Token: SeDebugPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE
Token: 33	296	server.EXE
Token: SeIncBasePriorityPrivilege	296	server.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CSGhost-V4.EXEtemp_wrapped_31366.exe

pid process

2272 CSGhost-V4.EXE
3232 temp_wrapped_31366.exe

pid	process
2272	CSGhost-V4.EXE
3232	temp_wrapped_31366.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exeCSGhost-V4.EXEserver.EXE

description	pid	process	target process
PID 1400 wrote to memory of 296	1400	8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe	server.EXE
PID 1400 wrote to memory of 296	1400	8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe	server.EXE
PID 1400 wrote to memory of 296	1400	8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe	server.EXE
PID 1400 wrote to memory of 2272	1400	8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe	CSGhost-V4.EXE
PID 1400 wrote to memory of 2272	1400	8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe	CSGhost-V4.EXE
PID 2272 wrote to memory of 3232	2272	CSGhost-V4.EXE	temp_wrapped_31366.exe
PID 2272 wrote to memory of 3232	2272	CSGhost-V4.EXE	temp_wrapped_31366.exe
PID 2272 wrote to memory of 3232	2272	CSGhost-V4.EXE	temp_wrapped_31366.exe
PID 296 wrote to memory of 1756	296	server.EXE	netsh.exe
PID 296 wrote to memory of 1756	296	server.EXE	netsh.exe
PID 296 wrote to memory of 1756	296	server.EXE	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe
"C:\Users\Admin\AppData\Local\Temp\8B54AC281EA90D359B212B1CE7FFD0B4AC5CAB9EE2F93.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\server.EXE
"C:\Users\Admin\AppData\Roaming\server.EXE"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.EXE" "server.EXE" ENABLE
3⤵
PID:1756

C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE
"C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe
"C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe
MD5
6626698df959dedebe4bba05a5212cb6

SHA1
44b29eea5e11a7805fe74df6d7acc708d4e2c04f

SHA256
ca7847a603db8ee2912c946b15ba8f7c6e4a6de13f8192792e58287859dee57a

SHA512
312b55a55348dbe85222d80df3142806411537e2fdee5338c0062825f030be73b5142d452c861059988c40c8172d1a3baa3f0d1f97dac6c7dff17c31d01822e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe
MD5
6626698df959dedebe4bba05a5212cb6

SHA1
44b29eea5e11a7805fe74df6d7acc708d4e2c04f

SHA256
ca7847a603db8ee2912c946b15ba8f7c6e4a6de13f8192792e58287859dee57a

SHA512
312b55a55348dbe85222d80df3142806411537e2fdee5338c0062825f030be73b5142d452c861059988c40c8172d1a3baa3f0d1f97dac6c7dff17c31d01822e8

Download Submit
C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE
MD5
f46ebc4410101fc838ca6dbab76c90e1

SHA1
f687b1880256cf8261c16a18cea4b5d2b76c92d3

SHA256
724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0

SHA512
244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1

Download Submit
C:\Users\Admin\AppData\Roaming\CSGhost-v4.exe
MD5
f46ebc4410101fc838ca6dbab76c90e1

SHA1
f687b1880256cf8261c16a18cea4b5d2b76c92d3

SHA256
724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0

SHA512
244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1

Download Submit
C:\Users\Admin\AppData\Roaming\server.EXE
MD5
a873745adb5279248a7ea3cccff26c3c

SHA1
551fb96900684f790fca3b2b837d1c88ef0508dc

SHA256
8320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594

SHA512
09d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
MD5
a873745adb5279248a7ea3cccff26c3c

SHA1
551fb96900684f790fca3b2b837d1c88ef0508dc

SHA256
8320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594

SHA512
09d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f

Download Submit
memory/296-116-0x0000000000000000-mapping.dmp

Download
memory/296-125-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1400-114-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1400-115-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1756-126-0x0000000000000000-mapping.dmp

Download
memory/2272-119-0x0000000000000000-mapping.dmp

Download
memory/3232-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads