njrat | 23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60

General

Target

23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
Size

769KB
MD5

fd08b4818cca94554574c5e7a3c5a57d
SHA1

64c66820b0caa0bfda38230c269679bd7dbe66ef
SHA256

23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60
SHA512

13591b28b3091386021a8337c058ec84bdce3eb1d59f5b87b2ea043a95d6bc0e8b0440956dbcbb4a67a204283449ce3e76bd7bc24c105306b8bc3ff992175a0c

Score

10^/10

njrat h agilenet persistence trojan

Malware Config

Extracted

Family

njrat

Botnet

H

C2

dreem.linkpc.net:7500

Attributes

splitter
!'!@!'!

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\SInitia\\SInitia.exe,"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

SInitia.exeInstallUtil.exe

pid process

2748 SInitia.exe
3828 InstallUtil.exe

pid	process
2748	SInitia.exe
3828	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3160-121-0x00000000061C0000-0x00000000061E1000-memory.dmp	agile_net
behavioral1/memory/3160-126-0x0000000004FD0000-0x00000000054CE000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

SInitia.exe

description pid process target process

PID 2748 set thread context of 3828 2748 SInitia.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2748 set thread context of 3828	2748	SInitia.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exeSInitia.exe

pid	process
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
2748	SInitia.exe
2748	SInitia.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exeSInitia.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
Token: SeDebugPrivilege	2748	SInitia.exe
Token: SeDebugPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe
Token: 33	3828	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3828	InstallUtil.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.execmd.exeSInitia.exe

description	pid	process	target process
PID 3160 wrote to memory of 1984	3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe	cmd.exe
PID 3160 wrote to memory of 1984	3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe	cmd.exe
PID 3160 wrote to memory of 1984	3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe	cmd.exe
PID 1984 wrote to memory of 3732	1984	cmd.exe	reg.exe
PID 1984 wrote to memory of 3732	1984	cmd.exe	reg.exe
PID 1984 wrote to memory of 3732	1984	cmd.exe	reg.exe
PID 3160 wrote to memory of 2748	3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe	SInitia.exe
PID 3160 wrote to memory of 2748	3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe	SInitia.exe
PID 3160 wrote to memory of 2748	3160	23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe	SInitia.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe
PID 2748 wrote to memory of 3828	2748	SInitia.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe
"C:\Users\Admin\AppData\Local\Temp\23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe,"
3⤵
- Modifies WinLogon for persistence
PID:3732

C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe
"C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe

MD5
fd08b4818cca94554574c5e7a3c5a57d

SHA1
64c66820b0caa0bfda38230c269679bd7dbe66ef

SHA256
23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60

SHA512
13591b28b3091386021a8337c058ec84bdce3eb1d59f5b87b2ea043a95d6bc0e8b0440956dbcbb4a67a204283449ce3e76bd7bc24c105306b8bc3ff992175a0c

Download Submit
C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe

MD5
fd08b4818cca94554574c5e7a3c5a57d

SHA1
64c66820b0caa0bfda38230c269679bd7dbe66ef

SHA256
23f046f284a367fc1f2d0444f1f9508602b84a528593d209246d8ec987165d60

SHA512
13591b28b3091386021a8337c058ec84bdce3eb1d59f5b87b2ea043a95d6bc0e8b0440956dbcbb4a67a204283449ce3e76bd7bc24c105306b8bc3ff992175a0c

Download Submit
memory/1984-124-0x0000000000000000-mapping.dmp

Download
memory/2748-127-0x0000000000000000-mapping.dmp

Download
memory/2748-141-0x00000000097B0000-0x00000000097B1000-memory.dmp

Filesize
4KB

Download
memory/2748-140-0x00000000071D0000-0x00000000071DB000-memory.dmp

Filesize
44KB

Download
memory/2748-139-0x0000000005560000-0x0000000005A5E000-memory.dmp

Filesize
5.0MB

Download
memory/2748-135-0x0000000005560000-0x0000000005A5E000-memory.dmp

Filesize
5.0MB

Download
memory/3160-122-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/3160-119-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3160-117-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3160-123-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/3160-115-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3160-121-0x00000000061C0000-0x00000000061E1000-memory.dmp

Filesize
132KB

Download
memory/3160-120-0x0000000004FD0000-0x00000000054CE000-memory.dmp

Filesize
5.0MB

Download
memory/3160-126-0x0000000004FD0000-0x00000000054CE000-memory.dmp

Filesize
5.0MB

Download
memory/3160-118-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3732-125-0x0000000000000000-mapping.dmp

Download
memory/3828-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3828-143-0x0000000000407662-mapping.dmp

Download
memory/3828-150-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/3828-152-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads