njrat | 707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

General

Target

ab71d3024ba35c9025ead27b28c075bd.exe
Size

93KB
MD5

ab71d3024ba35c9025ead27b28c075bd
SHA1

67a1c777aa8dc845de80ac5da0c26088bccbf838
SHA256

707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468
SHA512

cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

OC50Y3Aubmdyb2suaW8Strik:MTQ3Mjk=

Mutex

54d823e4dec41df2d9207ed10cdce4f6

Attributes

reg_key
54d823e4dec41df2d9207ed10cdce4f6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

516 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
516	server.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54d823e4dec41df2d9207ed10cdce4f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54d823e4dec41df2d9207ed10cdce4f6Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

ab71d3024ba35c9025ead27b28c075bd.exe

pid process

1608 ab71d3024ba35c9025ead27b28c075bd.exe
1608 ab71d3024ba35c9025ead27b28c075bd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

516 server.exe

pid	process
1608	ab71d3024ba35c9025ead27b28c075bd.exe
1608	ab71d3024ba35c9025ead27b28c075bd.exe

pid	process
516	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe
Token: 33	516	server.exe
Token: SeIncBasePriorityPrivilege	516	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ab71d3024ba35c9025ead27b28c075bd.exeserver.exe

description	pid	process	target process
PID 1608 wrote to memory of 516	1608	ab71d3024ba35c9025ead27b28c075bd.exe	server.exe
PID 1608 wrote to memory of 516	1608	ab71d3024ba35c9025ead27b28c075bd.exe	server.exe
PID 1608 wrote to memory of 516	1608	ab71d3024ba35c9025ead27b28c075bd.exe	server.exe
PID 1608 wrote to memory of 516	1608	ab71d3024ba35c9025ead27b28c075bd.exe	server.exe
PID 516 wrote to memory of 612	516	server.exe	netsh.exe
PID 516 wrote to memory of 612	516	server.exe	netsh.exe
PID 516 wrote to memory of 612	516	server.exe	netsh.exe
PID 516 wrote to memory of 612	516	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ab71d3024ba35c9025ead27b28c075bd.exe
"C:\Users\Admin\AppData\Local\Temp\ab71d3024ba35c9025ead27b28c075bd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
ab71d3024ba35c9025ead27b28c075bd

SHA1
67a1c777aa8dc845de80ac5da0c26088bccbf838

SHA256
707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

SHA512
cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
ab71d3024ba35c9025ead27b28c075bd

SHA1
67a1c777aa8dc845de80ac5da0c26088bccbf838

SHA256
707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

SHA512
cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Download Submit
C:\Users\Admin\AppData\Roaming\app

MD5
53ce6d1ae8885b5d12e654469f456c83

SHA1
9d8b30c523ddef4d24134072b27716bec7d94d6f

SHA256
d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2

SHA512
c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
ab71d3024ba35c9025ead27b28c075bd

SHA1
67a1c777aa8dc845de80ac5da0c26088bccbf838

SHA256
707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

SHA512
cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
ab71d3024ba35c9025ead27b28c075bd

SHA1
67a1c777aa8dc845de80ac5da0c26088bccbf838

SHA256
707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

SHA512
cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Download Submit
memory/516-59-0x0000000000000000-mapping.dmp

Download
memory/516-64-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/612-65-0x0000000000000000-mapping.dmp

Download
memory/1608-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1608-56-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads