njrat | 707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

General

Target

ab71d3024ba35c9025ead27b28c075bd.exe
Size

93KB
MD5

ab71d3024ba35c9025ead27b28c075bd
SHA1

67a1c777aa8dc845de80ac5da0c26088bccbf838
SHA256

707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468
SHA512

cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

OC50Y3Aubmdyb2suaW8Strik:MTQ3Mjk=

Mutex

54d823e4dec41df2d9207ed10cdce4f6

Attributes

reg_key
54d823e4dec41df2d9207ed10cdce4f6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1328 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1328	server.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54d823e4dec41df2d9207ed10cdce4f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54d823e4dec41df2d9207ed10cdce4f6Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1328 server.exe

pid	process
1328	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe
Token: 33	1328	server.exe
Token: SeIncBasePriorityPrivilege	1328	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ab71d3024ba35c9025ead27b28c075bd.exeserver.exe

description	pid	process	target process
PID 2764 wrote to memory of 1328	2764	ab71d3024ba35c9025ead27b28c075bd.exe	server.exe
PID 2764 wrote to memory of 1328	2764	ab71d3024ba35c9025ead27b28c075bd.exe	server.exe
PID 2764 wrote to memory of 1328	2764	ab71d3024ba35c9025ead27b28c075bd.exe	server.exe
PID 1328 wrote to memory of 652	1328	server.exe	netsh.exe
PID 1328 wrote to memory of 652	1328	server.exe	netsh.exe
PID 1328 wrote to memory of 652	1328	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ab71d3024ba35c9025ead27b28c075bd.exe
"C:\Users\Admin\AppData\Local\Temp\ab71d3024ba35c9025ead27b28c075bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
ab71d3024ba35c9025ead27b28c075bd

SHA1
67a1c777aa8dc845de80ac5da0c26088bccbf838

SHA256
707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

SHA512
cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
ab71d3024ba35c9025ead27b28c075bd

SHA1
67a1c777aa8dc845de80ac5da0c26088bccbf838

SHA256
707fef4235cf1842dd9090a412f0b986d5901e5a7728c89804eebdaad40c2468

SHA512
cf3f96595170102d21b597d2cbb692844c960ec3ed8acdc3b37e5421cd4dc26cab2c3e903773f2ffa03c443fec06f3d18520d4b2fd0fa3d8c8eb7ef2fe9febaf

Download Submit
C:\Users\Admin\AppData\Roaming\app

MD5
311d687faffaed10f44ea27c024986b6

SHA1
eece910ea8cb7aed467e2e7700f7c223d3fbbc9e

SHA256
608547d80bf0e4b3d9cfffd324702b4aa38db2f0bfb3db4bd517b556fdf4de2b

SHA512
296d2cbbbf39917b174682a73e571a98130b2fe1c2dcb7c84adbd185a0b3a81384ad556e3a88cdeaa01fbd5cb486c58c1e1dff22f77cd3e9df7315b93355272b

Download Submit
memory/652-121-0x0000000000000000-mapping.dmp

Download
memory/1328-116-0x0000000000000000-mapping.dmp

Download
memory/1328-120-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/2764-115-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads