njrat | 21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68

General

Target

ac93dc198c284dff22cee5391f6fa6dd.exe
Size

25KB
MD5

ac93dc198c284dff22cee5391f6fa6dd
SHA1

8c2e2f2b493abd6ca90ff0436457d52ea928dd43
SHA256

21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68
SHA512

c60337d1ce419d3269c6ac5a08d45e19c969c73be0a7026b0afa8352df777fe7db85c083c0e8a061e02682ea17358935852ea5266fca0000cce78cad5b914064

Score

10^/10

njrat xyi suricata trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

xyi

C2

20.77.246.121:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 3 IoCs

Processes:

TL_Launcher.exeServer.exeServer.exe

pid process

832 TL_Launcher.exe
996 Server.exe
2016 Server.exe
Loads dropped DLL 1 IoCs

Processes:

ac93dc198c284dff22cee5391f6fa6dd.exe

pid process

1692 ac93dc198c284dff22cee5391f6fa6dd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1852 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ac93dc198c284dff22cee5391f6fa6dd.exeTL_Launcher.exe

pid process

1692 ac93dc198c284dff22cee5391f6fa6dd.exe
832 TL_Launcher.exe

pid	process
832	TL_Launcher.exe
996	Server.exe
2016	Server.exe

pid	process
1692	ac93dc198c284dff22cee5391f6fa6dd.exe

pid	process
1852	schtasks.exe

pid	process
1692	ac93dc198c284dff22cee5391f6fa6dd.exe
832	TL_Launcher.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

TL_Launcher.exe

description	pid	process
Token: SeDebugPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe
Token: 33	832	TL_Launcher.exe
Token: SeIncBasePriorityPrivilege	832	TL_Launcher.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ac93dc198c284dff22cee5391f6fa6dd.exeTL_Launcher.exetaskeng.exe

description	pid	process	target process
PID 1692 wrote to memory of 832	1692	ac93dc198c284dff22cee5391f6fa6dd.exe	TL_Launcher.exe
PID 1692 wrote to memory of 832	1692	ac93dc198c284dff22cee5391f6fa6dd.exe	TL_Launcher.exe
PID 1692 wrote to memory of 832	1692	ac93dc198c284dff22cee5391f6fa6dd.exe	TL_Launcher.exe
PID 1692 wrote to memory of 832	1692	ac93dc198c284dff22cee5391f6fa6dd.exe	TL_Launcher.exe
PID 1692 wrote to memory of 832	1692	ac93dc198c284dff22cee5391f6fa6dd.exe	TL_Launcher.exe
PID 1692 wrote to memory of 832	1692	ac93dc198c284dff22cee5391f6fa6dd.exe	TL_Launcher.exe
PID 1692 wrote to memory of 832	1692	ac93dc198c284dff22cee5391f6fa6dd.exe	TL_Launcher.exe
PID 832 wrote to memory of 1852	832	TL_Launcher.exe	schtasks.exe
PID 832 wrote to memory of 1852	832	TL_Launcher.exe	schtasks.exe
PID 832 wrote to memory of 1852	832	TL_Launcher.exe	schtasks.exe
PID 832 wrote to memory of 1852	832	TL_Launcher.exe	schtasks.exe
PID 832 wrote to memory of 1852	832	TL_Launcher.exe	schtasks.exe
PID 832 wrote to memory of 1852	832	TL_Launcher.exe	schtasks.exe
PID 832 wrote to memory of 1852	832	TL_Launcher.exe	schtasks.exe
PID 1304 wrote to memory of 996	1304	taskeng.exe	Server.exe
PID 1304 wrote to memory of 996	1304	taskeng.exe	Server.exe
PID 1304 wrote to memory of 996	1304	taskeng.exe	Server.exe
PID 1304 wrote to memory of 996	1304	taskeng.exe	Server.exe
PID 1304 wrote to memory of 2016	1304	taskeng.exe	Server.exe
PID 1304 wrote to memory of 2016	1304	taskeng.exe	Server.exe
PID 1304 wrote to memory of 2016	1304	taskeng.exe	Server.exe
PID 1304 wrote to memory of 2016	1304	taskeng.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\ac93dc198c284dff22cee5391f6fa6dd.exe
"C:\Users\Admin\AppData\Local\Temp\ac93dc198c284dff22cee5391f6fa6dd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\TL_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\TL_Launcher.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\taskeng.exe
taskeng.exe {322CCFDF-52A5-4791-A7AF-053A42B740E9} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:996

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
ac93dc198c284dff22cee5391f6fa6dd

SHA1
8c2e2f2b493abd6ca90ff0436457d52ea928dd43

SHA256
21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68

SHA512
c60337d1ce419d3269c6ac5a08d45e19c969c73be0a7026b0afa8352df777fe7db85c083c0e8a061e02682ea17358935852ea5266fca0000cce78cad5b914064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
ac93dc198c284dff22cee5391f6fa6dd

SHA1
8c2e2f2b493abd6ca90ff0436457d52ea928dd43

SHA256
21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68

SHA512
c60337d1ce419d3269c6ac5a08d45e19c969c73be0a7026b0afa8352df777fe7db85c083c0e8a061e02682ea17358935852ea5266fca0000cce78cad5b914064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
ac93dc198c284dff22cee5391f6fa6dd

SHA1
8c2e2f2b493abd6ca90ff0436457d52ea928dd43

SHA256
21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68

SHA512
c60337d1ce419d3269c6ac5a08d45e19c969c73be0a7026b0afa8352df777fe7db85c083c0e8a061e02682ea17358935852ea5266fca0000cce78cad5b914064

Download Submit
C:\Users\Admin\AppData\Local\Temp\TL_Launcher.exe
MD5
ac93dc198c284dff22cee5391f6fa6dd

SHA1
8c2e2f2b493abd6ca90ff0436457d52ea928dd43

SHA256
21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68

SHA512
c60337d1ce419d3269c6ac5a08d45e19c969c73be0a7026b0afa8352df777fe7db85c083c0e8a061e02682ea17358935852ea5266fca0000cce78cad5b914064

Download Submit
C:\Users\Admin\AppData\Local\Temp\TL_Launcher.exe
MD5
ac93dc198c284dff22cee5391f6fa6dd

SHA1
8c2e2f2b493abd6ca90ff0436457d52ea928dd43

SHA256
21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68

SHA512
c60337d1ce419d3269c6ac5a08d45e19c969c73be0a7026b0afa8352df777fe7db85c083c0e8a061e02682ea17358935852ea5266fca0000cce78cad5b914064

Download Submit
\Users\Admin\AppData\Local\Temp\TL_Launcher.exe
MD5
ac93dc198c284dff22cee5391f6fa6dd

SHA1
8c2e2f2b493abd6ca90ff0436457d52ea928dd43

SHA256
21c6e2e0b14129c7016b431c0d9966bad6a0e35740414d314654df695fb15a68

SHA512
c60337d1ce419d3269c6ac5a08d45e19c969c73be0a7026b0afa8352df777fe7db85c083c0e8a061e02682ea17358935852ea5266fca0000cce78cad5b914064

Download Submit
memory/832-63-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/832-62-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/832-66-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/832-59-0x0000000000000000-mapping.dmp

Download
memory/996-70-0x0000000000000000-mapping.dmp

Download
memory/996-72-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/996-75-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1692-54-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1692-57-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1692-56-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/1852-67-0x0000000000000000-mapping.dmp

Download
memory/2016-76-0x0000000000000000-mapping.dmp

Download
memory/2016-81-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads