njrat | 8b79e79f75578ab62d83e89b6bfaf5404fa868041b880995579f3cd6ae6f995e

General

Target

5afd70d54cc4af7f236894d674842493.exe
Size

776KB
MD5

5afd70d54cc4af7f236894d674842493
SHA1

6565657adebd3063ba85886e551e551b0bbd6fdb
SHA256

8b79e79f75578ab62d83e89b6bfaf5404fa868041b880995579f3cd6ae6f995e
SHA512

6fa7daafcd661d873bae7e092fab5c89f8a56978003d31b3b91eabc735e50ecc01b8e90f90fbcec193c0656f134b6ce69c98825cfbaeaa07a536ddc5eea641fa

Score

10^/10

njrat taurus batvoi evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

Carbonblack2102

Botnet

batvoi

C2

1368.vnh.wtf:5552

Mutex

0de45b5c6627a3e65a4b2a1e68ec841b

Attributes

reg_key
0de45b5c6627a3e65a4b2a1e68ec841b
splitter
|'|'|

Signatures

Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1924-153-0x0000000000400000-0x0000000000437000-memory.dmp	family_taurus_stealer
behavioral2/memory/1924-154-0x000000000041CEE8-mapping.dmp	family_taurus_stealer
behavioral2/memory/1924-155-0x0000000000400000-0x0000000000437000-memory.dmp	family_taurus_stealer

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 4 IoCs

Processes:

WMI PERFORMANCE REVERSE ADAPTER.EXEWMI PERFORMANCE REVERSE ADPIRE.EXEWOXY 3.0 [CRACK.SX].EXEWMI Performance Reverse Adapters.exe

pid	process
1360	WMI PERFORMANCE REVERSE ADAPTER.EXE
2964	WMI PERFORMANCE REVERSE ADPIRE.EXE
924	WOXY 3.0 [CRACK.SX].EXE
596	WMI Performance Reverse Adapters.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

WMI Performance Reverse Adapters.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe	WMI Performance Reverse Adapters.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe	WMI Performance Reverse Adapters.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WMI Performance Reverse Adapters.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .."	WMI Performance Reverse Adapters.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .."	WMI Performance Reverse Adapters.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WMI PERFORMANCE REVERSE ADPIRE.EXE

description pid process target process

PID 2964 set thread context of 1924 2964 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1908 924 WerFault.exe WOXY 3.0 [CRACK.SX].EXE

description	pid	process	target process
PID 2964 set thread context of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe

pid	pid_target	process	target process
1908	924	WerFault.exe	WOXY 3.0 [CRACK.SX].EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

WMI PERFORMANCE REVERSE ADPIRE.EXEWerFault.exeWMI Performance Reverse Adapters.exe

description	pid	process
Token: SeDebugPrivilege	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE
Token: SeRestorePrivilege	1908	WerFault.exe
Token: SeBackupPrivilege	1908	WerFault.exe
Token: SeDebugPrivilege	1908	WerFault.exe
Token: SeDebugPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe
Token: 33	596	WMI Performance Reverse Adapters.exe
Token: SeIncBasePriorityPrivilege	596	WMI Performance Reverse Adapters.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5afd70d54cc4af7f236894d674842493.exeWMI PERFORMANCE REVERSE ADAPTER.EXEWMI Performance Reverse Adapters.exeWMI PERFORMANCE REVERSE ADPIRE.EXE

description	pid	process	target process
PID 2176 wrote to memory of 1360	2176	5afd70d54cc4af7f236894d674842493.exe	WMI PERFORMANCE REVERSE ADAPTER.EXE
PID 2176 wrote to memory of 1360	2176	5afd70d54cc4af7f236894d674842493.exe	WMI PERFORMANCE REVERSE ADAPTER.EXE
PID 2176 wrote to memory of 1360	2176	5afd70d54cc4af7f236894d674842493.exe	WMI PERFORMANCE REVERSE ADAPTER.EXE
PID 2176 wrote to memory of 2964	2176	5afd70d54cc4af7f236894d674842493.exe	WMI PERFORMANCE REVERSE ADPIRE.EXE
PID 2176 wrote to memory of 2964	2176	5afd70d54cc4af7f236894d674842493.exe	WMI PERFORMANCE REVERSE ADPIRE.EXE
PID 2176 wrote to memory of 2964	2176	5afd70d54cc4af7f236894d674842493.exe	WMI PERFORMANCE REVERSE ADPIRE.EXE
PID 2176 wrote to memory of 924	2176	5afd70d54cc4af7f236894d674842493.exe	WOXY 3.0 [CRACK.SX].EXE
PID 2176 wrote to memory of 924	2176	5afd70d54cc4af7f236894d674842493.exe	WOXY 3.0 [CRACK.SX].EXE
PID 2176 wrote to memory of 924	2176	5afd70d54cc4af7f236894d674842493.exe	WOXY 3.0 [CRACK.SX].EXE
PID 1360 wrote to memory of 596	1360	WMI PERFORMANCE REVERSE ADAPTER.EXE	WMI Performance Reverse Adapters.exe
PID 1360 wrote to memory of 596	1360	WMI PERFORMANCE REVERSE ADAPTER.EXE	WMI Performance Reverse Adapters.exe
PID 1360 wrote to memory of 596	1360	WMI PERFORMANCE REVERSE ADAPTER.EXE	WMI Performance Reverse Adapters.exe
PID 596 wrote to memory of 836	596	WMI Performance Reverse Adapters.exe	netsh.exe
PID 596 wrote to memory of 836	596	WMI Performance Reverse Adapters.exe	netsh.exe
PID 596 wrote to memory of 836	596	WMI Performance Reverse Adapters.exe	netsh.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe
PID 2964 wrote to memory of 1924	2964	WMI PERFORMANCE REVERSE ADPIRE.EXE	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\5afd70d54cc4af7f236894d674842493.exe
"C:\Users\Admin\AppData\Local\Temp\5afd70d54cc4af7f236894d674842493.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE
"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe
"C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe" "WMI Performance Reverse Adapters.exe" ENABLE
4⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE
"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
3⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE
"C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE"
2⤵
- Executes dropped EXE
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 872
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE

MD5
870a6f849d1e8f3297d3d947de1d3dda

SHA1
2f618fdf99aa8b94c7ef34fe93f73fce8afeaf97

SHA256
b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b

SHA512
f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE

MD5
870a6f849d1e8f3297d3d947de1d3dda

SHA1
2f618fdf99aa8b94c7ef34fe93f73fce8afeaf97

SHA256
b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b

SHA512
f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE

MD5
5375abc86290f5c3ffa86d4129e4bd27

SHA1
a1a3b2165549bd4c34985d3a230f8304202926ab

SHA256
c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f

SHA512
f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE

MD5
5375abc86290f5c3ffa86d4129e4bd27

SHA1
a1a3b2165549bd4c34985d3a230f8304202926ab

SHA256
c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f

SHA512
f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe

MD5
870a6f849d1e8f3297d3d947de1d3dda

SHA1
2f618fdf99aa8b94c7ef34fe93f73fce8afeaf97

SHA256
b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b

SHA512
f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe

MD5
870a6f849d1e8f3297d3d947de1d3dda

SHA1
2f618fdf99aa8b94c7ef34fe93f73fce8afeaf97

SHA256
b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b

SHA512
f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE

MD5
7750a6691f29ecb236c82e0e6c082625

SHA1
8f4612f45d417f5db5f577687dd9be2131f7aa65

SHA256
464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf

SHA512
645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOXY 3.0 [CRACK.SX].EXE

MD5
7750a6691f29ecb236c82e0e6c082625

SHA1
8f4612f45d417f5db5f577687dd9be2131f7aa65

SHA256
464375a7177f6500882be8fea8660b82be9669b16b86f700f79bf5334817afbf

SHA512
645c96b8028fbacc853075792c7e728a7b293f42fe47fbc2ddf7fba9cebf0beab731314defcbc0bb12a16e7898a558979dba5bbd1d687713eb1a73a17908143f

Download Submit
memory/596-150-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/596-149-0x0000000005470000-0x000000000596E000-memory.dmp

Filesize
5.0MB

Download
memory/596-140-0x0000000000000000-mapping.dmp

Download
memory/836-147-0x0000000000000000-mapping.dmp

Download
memory/924-138-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/924-128-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/924-121-0x0000000000000000-mapping.dmp

Download
memory/924-134-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1360-131-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1360-130-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1360-125-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1360-115-0x0000000000000000-mapping.dmp

Download
memory/1924-155-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1924-154-0x000000000041CEE8-mapping.dmp

Download
memory/1924-153-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2964-133-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2964-124-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2964-118-0x0000000000000000-mapping.dmp

Download
memory/2964-151-0x0000000004FA0000-0x0000000004FA6000-memory.dmp

Filesize
24KB

Download
memory/2964-152-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/2964-137-0x0000000004D80000-0x0000000004D99000-memory.dmp

Filesize
100KB

Download
memory/2964-139-0x0000000004D40000-0x000000000523E000-memory.dmp

Filesize
5.0MB

Download
memory/2964-136-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads