njrat | 376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d

General

Target

376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
Size

93KB
MD5

9f9dbbcabdc0f57b9b0d2f81410f5b5f
SHA1

b524af77112c726613fac681ba93d174e5c31932
SHA256

376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d
SHA512

e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b

Score

10^/10

njrat xmrig hacked evasion miner suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTIxNjE=

Mutex

854ee8c16d20a740152aef12b1a29af6

Attributes

reg_key
854ee8c16d20a740152aef12b1a29af6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

820 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 6 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854ee8c16d20a740152aef12b1a29af6Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe

pid process

1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
1052 376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Explower.exe server.exe
File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe

pid	process
1052	376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
1052	376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe
820	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

820 server.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe
Token: 33	820	server.exe
Token: SeIncBasePriorityPrivilege	820	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exeserver.exe

description	pid	process	target process
PID 1052 wrote to memory of 820	1052	376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe	server.exe
PID 1052 wrote to memory of 820	1052	376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe	server.exe
PID 1052 wrote to memory of 820	1052	376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe	server.exe
PID 1052 wrote to memory of 820	1052	376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe	server.exe
PID 820 wrote to memory of 1124	820	server.exe	netsh.exe
PID 820 wrote to memory of 1124	820	server.exe	netsh.exe
PID 820 wrote to memory of 1124	820	server.exe	netsh.exe
PID 820 wrote to memory of 1124	820	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe
"C:\Users\Admin\AppData\Local\Temp\376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f

SHA1
b524af77112c726613fac681ba93d174e5c31932

SHA256
376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d

SHA512
e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f

SHA1
b524af77112c726613fac681ba93d174e5c31932

SHA256
376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d

SHA512
e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b

Download Submit
C:\Users\Admin\AppData\Roaming\app
MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
MD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f

SHA1
b524af77112c726613fac681ba93d174e5c31932

SHA256
376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d

SHA512
e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
MD5
9f9dbbcabdc0f57b9b0d2f81410f5b5f

SHA1
b524af77112c726613fac681ba93d174e5c31932

SHA256
376c8edbafb727e3c48081ac3c6751dd6b73e73462c2a26794b37cd44be4344d

SHA512
e8828f4caa5e325f51ed5cc07e40acbb807485bc28e7df55b11432972dcf28cd749ee543cb63bd4815919f4f24f94aa063acef9c994a5764562061ec9b8cf91b

Download Submit
memory/820-59-0x0000000000000000-mapping.dmp

Download
memory/820-64-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1052-55-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download
memory/1052-56-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1124-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads