njrat | 996570a4f29509e3c74aa361e578f59001460810064f4a81be520e18291d56ab

General

Target

996570A4F29509E3C74AA361E578F59001460810064F4.exe
Size

73KB
MD5

7de9b1373f7e080121792869b172c537
SHA1

452f18d117ca728604b660f30aaafcd4f0c217f9
SHA256

996570a4f29509e3c74aa361e578f59001460810064f4a81be520e18291d56ab
SHA512

ae50753118eed6328e1c425ae8545034c9d782867eb8bd3d9a828309b7b19c6134cae2f2e0f44def4a0dc50f3eca743a2e6ffbf8a5287203aaf22050568b1d9a

Score

10^/10

njrat 04040404 evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

04040404

C2

soportes.duckdns.org:2023

Mutex

28a056e3673b28a4055fb90e48d147ab

Attributes

reg_key
28a056e3673b28a4055fb90e48d147ab
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hJtyaQ.url	996570A4F29509E3C74AA361E578F59001460810064F4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exe

description pid process target process

PID 2220 set thread context of 4368 2220 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exe

pid process

2220 996570A4F29509E3C74AA361E578F59001460810064F4.exe
2220 996570A4F29509E3C74AA361E578F59001460810064F4.exe

description	pid	process	target process
PID 2220 set thread context of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe

pid	process
2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe
2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe
Token: SeDebugPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe
Token: 33	4368	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4368	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.execsc.exeRegAsm.exe

description	pid	process	target process
PID 2220 wrote to memory of 748	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	csc.exe
PID 2220 wrote to memory of 748	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	csc.exe
PID 2220 wrote to memory of 748	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	csc.exe
PID 748 wrote to memory of 4016	748	csc.exe	cvtres.exe
PID 748 wrote to memory of 4016	748	csc.exe	cvtres.exe
PID 748 wrote to memory of 4016	748	csc.exe	cvtres.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 2220 wrote to memory of 4368	2220	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 4368 wrote to memory of 3124	4368	RegAsm.exe	netsh.exe
PID 4368 wrote to memory of 3124	4368	RegAsm.exe	netsh.exe
PID 4368 wrote to memory of 3124	4368	RegAsm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe
"C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtyaj4ut\jtyaj4ut.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA20D.tmp" "c:\Users\Admin\AppData\Local\Temp\jtyaj4ut\CSCF03D4DA3A6E848098FE9C772AF049B7.TMP"
3⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
3⤵
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA20D.tmp
MD5
c700a8f904245cde707e6ddbb51e2ceb

SHA1
ba92885922e6eee160b9d9cfcbe2ae7dd7f4e572

SHA256
a44fa2b088ee576698da39023901dad03091881fdcdffa8853c423cf11936212

SHA512
ffc8226dded0196380419d8c632d888ed2a56657e01d7e35315361c536149394060eb69fd2c2ba692bbaa9282889d4e13a55415c4e89a64850edd0dca22b6c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtyaj4ut\jtyaj4ut.dll
MD5
a56235cc772cf945a946874b1c8f68b9

SHA1
062626b9cadae2a8acec5b55c4adfe169d13fafd

SHA256
032e9057d3a77f05c065263ad307200c85dfc10d1393ee196e5580368b3eb16f

SHA512
00b13ecec6c4a8e91c9f6700fc4381cd2e443d85a2819917bb367517307e13cda608ba8aca3c60d19ed784ffa45f9ace7bcd4478f8df15f5eabf9d2ee57ba329

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtyaj4ut\jtyaj4ut.pdb
MD5
7802a214d00fa7efeccd5cb4220e2e90

SHA1
1bb44676e576ac5b82bf001177a6dc2a5de8bf4a

SHA256
565fe3ab980a49472e72244d64326358167853c56af6fa52e4c22e5c3f99cfae

SHA512
c4a88050377738b834e7eae96728413af45bbb4002e69c47b391d6e65c161d82481c3666bff94fed5ca65f203748858223a233fb7537706cf7f73ed1cd67e2eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtyaj4ut\CSCF03D4DA3A6E848098FE9C772AF049B7.TMP
MD5
952496a271868360233a0815ae390108

SHA1
2b70afc1fdcc32fcb01d581fec5a4db343770327

SHA256
81c888d6bbce82ce4714d80e84a6a423b51459621819b3475b2a8d54efdbbf18

SHA512
c308d46277094a4c0282f5c1e10af32414d657e119dbbdb74d7fbabdc70ba92f6726122983a88d0f65e938912988871d8676a1a38360babd3f16bcea5326c2e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtyaj4ut\jtyaj4ut.0.cs
MD5
43843ea478ecc41b366642a2d6a65de7

SHA1
302951dfb877c63bf428a24f52de4e22a7176373

SHA256
daf0b1fff1975fa6a4acb4cab65191e922585d90e09a7ab5215a15f1b4089d57

SHA512
0d1f3ab2c4c8b21ef47ccf01be72c2c2cc07f1a2c5650cc85aaa51be32b8959739d13a2e9fe4454ca3a8759fdf9b836514cf80ca09fa323e8228fbd47cb72e61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtyaj4ut\jtyaj4ut.cmdline
MD5
b8a67009abc537df6d7bc5b645432851

SHA1
6bcb0d3b9b496290047f2f0a52f6c8495a019c6e

SHA256
1967b3ec7a66010ea05f4623169e18358211a472c13ec8c695d5dfbf6cc4f270

SHA512
11b076208a670ad960a8577ca5ac3f185a7753d16a7ab966753d2a4518e85499ce0e6cf7bbacb194985a804fc76d67a07a85facb504c8edbf649637902804cc3

Download Submit
memory/748-118-0x0000000000000000-mapping.dmp

Download
memory/2220-131-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/2220-117-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/2220-126-0x0000000003390000-0x0000000003392000-memory.dmp

Filesize
8KB

Download
memory/2220-127-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/2220-128-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/2220-129-0x0000000005B40000-0x0000000005B46000-memory.dmp

Filesize
24KB

Download
memory/2220-130-0x0000000005B70000-0x0000000005B76000-memory.dmp

Filesize
24KB

Download
memory/2220-115-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3124-135-0x0000000000000000-mapping.dmp

Download
memory/4016-121-0x0000000000000000-mapping.dmp

Download
memory/4368-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4368-133-0x000000000040748E-mapping.dmp

Download
memory/4368-134-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads