njrat | f68d863a9eebbaf7615a7b9c974f5a778a8fff581c6cbc6188e2c01671b267ab

General

Target

55d94ffcf330917328c6a586d6534d25.exe
Size

37KB
MD5

55d94ffcf330917328c6a586d6534d25
SHA1

63d64293d07ceac441a14a52b713397bd99175b7
SHA256

f68d863a9eebbaf7615a7b9c974f5a778a8fff581c6cbc6188e2c01671b267ab
SHA512

2e677009cafb95ea0f045ef39f7afc843aa2dbb687928a23bfa082276232e23f5b806c2aa62d44b1c2d29ebc5081670111500f976ee36ffe6fe1acbd59a02e3f

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

185.204.1.234:5555

Mutex

e5a45bd689be1f7ca7b7912ac4ee9051

Attributes

reg_key
e5a45bd689be1f7ca7b7912ac4ee9051
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

544 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

55d94ffcf330917328c6a586d6534d25.exe

pid process

980 55d94ffcf330917328c6a586d6534d25.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
544	server.exe

pid	process
980	55d94ffcf330917328c6a586d6534d25.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe
Token: 33	544	server.exe
Token: SeIncBasePriorityPrivilege	544	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

55d94ffcf330917328c6a586d6534d25.exeserver.exe

description	pid	process	target process
PID 980 wrote to memory of 544	980	55d94ffcf330917328c6a586d6534d25.exe	server.exe
PID 980 wrote to memory of 544	980	55d94ffcf330917328c6a586d6534d25.exe	server.exe
PID 980 wrote to memory of 544	980	55d94ffcf330917328c6a586d6534d25.exe	server.exe
PID 980 wrote to memory of 544	980	55d94ffcf330917328c6a586d6534d25.exe	server.exe
PID 544 wrote to memory of 1856	544	server.exe	netsh.exe
PID 544 wrote to memory of 1856	544	server.exe	netsh.exe
PID 544 wrote to memory of 1856	544	server.exe	netsh.exe
PID 544 wrote to memory of 1856	544	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\55d94ffcf330917328c6a586d6534d25.exe
"C:\Users\Admin\AppData\Local\Temp\55d94ffcf330917328c6a586d6534d25.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
55d94ffcf330917328c6a586d6534d25

SHA1
63d64293d07ceac441a14a52b713397bd99175b7

SHA256
f68d863a9eebbaf7615a7b9c974f5a778a8fff581c6cbc6188e2c01671b267ab

SHA512
2e677009cafb95ea0f045ef39f7afc843aa2dbb687928a23bfa082276232e23f5b806c2aa62d44b1c2d29ebc5081670111500f976ee36ffe6fe1acbd59a02e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
55d94ffcf330917328c6a586d6534d25

SHA1
63d64293d07ceac441a14a52b713397bd99175b7

SHA256
f68d863a9eebbaf7615a7b9c974f5a778a8fff581c6cbc6188e2c01671b267ab

SHA512
2e677009cafb95ea0f045ef39f7afc843aa2dbb687928a23bfa082276232e23f5b806c2aa62d44b1c2d29ebc5081670111500f976ee36ffe6fe1acbd59a02e3f

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
55d94ffcf330917328c6a586d6534d25

SHA1
63d64293d07ceac441a14a52b713397bd99175b7

SHA256
f68d863a9eebbaf7615a7b9c974f5a778a8fff581c6cbc6188e2c01671b267ab

SHA512
2e677009cafb95ea0f045ef39f7afc843aa2dbb687928a23bfa082276232e23f5b806c2aa62d44b1c2d29ebc5081670111500f976ee36ffe6fe1acbd59a02e3f

Download Submit
memory/544-57-0x0000000000000000-mapping.dmp

Download
memory/544-61-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/980-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/980-55-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1856-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing