njrat | 996570a4f29509e3c74aa361e578f59001460810064f4a81be520e18291d56ab

General

Target

996570A4F29509E3C74AA361E578F59001460810064F4.exe
Size

73KB
MD5

7de9b1373f7e080121792869b172c537
SHA1

452f18d117ca728604b660f30aaafcd4f0c217f9
SHA256

996570a4f29509e3c74aa361e578f59001460810064f4a81be520e18291d56ab
SHA512

ae50753118eed6328e1c425ae8545034c9d782867eb8bd3d9a828309b7b19c6134cae2f2e0f44def4a0dc50f3eca743a2e6ffbf8a5287203aaf22050568b1d9a

Score

10^/10

njrat 04040404 evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

04040404

C2

soportes.duckdns.org:2023

Mutex

28a056e3673b28a4055fb90e48d147ab

Attributes

reg_key
28a056e3673b28a4055fb90e48d147ab
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hJtyaQ.url	996570A4F29509E3C74AA361E578F59001460810064F4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exe

description pid process target process

PID 520 set thread context of 4080 520 996570A4F29509E3C74AA361E578F59001460810064F4.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exe

pid process

520 996570A4F29509E3C74AA361E578F59001460810064F4.exe
520 996570A4F29509E3C74AA361E578F59001460810064F4.exe

description	pid	process	target process
PID 520 set thread context of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe

pid	process
520	996570A4F29509E3C74AA361E578F59001460810064F4.exe
520	996570A4F29509E3C74AA361E578F59001460810064F4.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe
Token: SeDebugPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe
Token: 33	4080	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4080	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

996570A4F29509E3C74AA361E578F59001460810064F4.execsc.exeRegAsm.exe

description	pid	process	target process
PID 520 wrote to memory of 4220	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	csc.exe
PID 520 wrote to memory of 4220	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	csc.exe
PID 520 wrote to memory of 4220	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	csc.exe
PID 4220 wrote to memory of 3148	4220	csc.exe	cvtres.exe
PID 4220 wrote to memory of 3148	4220	csc.exe	cvtres.exe
PID 4220 wrote to memory of 3148	4220	csc.exe	cvtres.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 520 wrote to memory of 4080	520	996570A4F29509E3C74AA361E578F59001460810064F4.exe	RegAsm.exe
PID 4080 wrote to memory of 4588	4080	RegAsm.exe	netsh.exe
PID 4080 wrote to memory of 4588	4080	RegAsm.exe	netsh.exe
PID 4080 wrote to memory of 4588	4080	RegAsm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe
"C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xj3unagf\xj3unagf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE61.tmp" "c:\Users\Admin\AppData\Local\Temp\xj3unagf\CSC926AA4E0F54BA3B570CEB9808877F6.TMP"
3⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
3⤵
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAE61.tmp
MD5
36bea6f2f497be7e645c831c5e8e2615

SHA1
1125f23ac360d075342656c7da810726772923d3

SHA256
163fc0d6d237c3e8b5fe76f689b35fe41d6bb4b4108807dbefc52c236c2a6ac3

SHA512
d6a86e496032fb9af5880cdf21c279d73e3f2f54e80c90c3db5392f85d4e5f7d158ffdd08574b9631a9d158a619c0d620d43bb082568f61989711d959a293a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\xj3unagf\xj3unagf.dll
MD5
16868e3b8b68985e9af2285e8c8763fa

SHA1
0d19f9d0f5c4f23f27f6ffe5839e304fcb1cf386

SHA256
860aba222ea5ff4c6d53870ed008df6a5f0d260a5241f93fcedf65add2575fd5

SHA512
dc30b411a3cb904dc4229cd08bd93a41b4aad5b77c9bc5b73210bfd5ec2a945f6fb5907e607edd853717dda8d9c7b134df4e19a5b5e0d115cc787a92644cccf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xj3unagf\xj3unagf.pdb
MD5
8f259d70a785c3e48388eeb4e508bb6c

SHA1
2182a051054f44cde5132fe0cada89fe015a703e

SHA256
9fe9b9c29dc9dc756d9dcf3cbcd2a0565018ad0b87250d7a284292dcaae83d2a

SHA512
1e600c9c4d00580f081605420553ed5d5c41485c55748beb56df80c884b0efcb1aa0ef40af9b75eb8a7762e1f72a8ee47978092ee0ed01c5a4cabbcc8844eaf6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xj3unagf\CSC926AA4E0F54BA3B570CEB9808877F6.TMP
MD5
ea7ac6a0921221f758d001a114e8128d

SHA1
eaee84c613104242038d6b2b0fc0dc511cb6720a

SHA256
d52fe98d2344612381e54fc79ad350448fe409a38ea1edc92a0639f3552d8b3f

SHA512
f316a0dd833d9ddb1c9fefbfcb2f798d42431fc3fd06d26badef449e7be6848a624ab88f77030961b9f522c921e06d1477962afa7664d776463541cf5c5c647d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xj3unagf\xj3unagf.0.cs
MD5
43843ea478ecc41b366642a2d6a65de7

SHA1
302951dfb877c63bf428a24f52de4e22a7176373

SHA256
daf0b1fff1975fa6a4acb4cab65191e922585d90e09a7ab5215a15f1b4089d57

SHA512
0d1f3ab2c4c8b21ef47ccf01be72c2c2cc07f1a2c5650cc85aaa51be32b8959739d13a2e9fe4454ca3a8759fdf9b836514cf80ca09fa323e8228fbd47cb72e61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xj3unagf\xj3unagf.cmdline
MD5
910f57ee2cd809eb2bf418d552eae93c

SHA1
26b5e0e0c9cdf3cd403ea239c751f6ed42ec9e4f

SHA256
f7368124ac0ccffed00a0e055960eb0e1287cb195cc4909d26684ee395e14ef7

SHA512
dca28c3cc2dbdfbf7b78f4d7045c91e4cfc18ab207e7073035d9748302cdd4cfda069380d9fedca5ce04e56e74ba72d1755f293ca4a8444c01d26b45ed64c6d6

Download Submit
memory/520-131-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/520-128-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/520-118-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/520-115-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/520-126-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

Filesize
8KB

Download
memory/520-127-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/520-129-0x00000000050D0000-0x00000000050D6000-memory.dmp

Filesize
24KB

Download
memory/520-130-0x0000000005110000-0x0000000005116000-memory.dmp

Filesize
24KB

Download
memory/3148-121-0x0000000000000000-mapping.dmp

Download
memory/4080-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4080-133-0x000000000040748E-mapping.dmp

Download
memory/4080-134-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/4220-117-0x0000000000000000-mapping.dmp

Download
memory/4588-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads