njrat | 9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6

General

Target

a5c53ee866d51d6af63e79e7c37e9871.exe
Size

43KB
MD5

a5c53ee866d51d6af63e79e7c37e9871
SHA1

45284d2633c196757c2b7bba35246a30dbc20454
SHA256

9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6
SHA512

c08242a988ca7668ebcb6ea9235655ea17670325b4912189e2723728f85878da58e495d1f455c1d06466ed7acec036fb12a4a040fb7866403adae7c9cb7603dc

Score

10^/10

njrat hacked suricata trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

6.tcp.ngrok.io:17656

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

rawetrip.exe

pid process

544 rawetrip.exe
Loads dropped DLL 1 IoCs

Processes:

a5c53ee866d51d6af63e79e7c37e9871.exe

pid process

844 a5c53ee866d51d6af63e79e7c37e9871.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

a5c53ee866d51d6af63e79e7c37e9871.exerawetrip.exe

pid process

844 a5c53ee866d51d6af63e79e7c37e9871.exe
544 rawetrip.exe

pid	process
544	rawetrip.exe

pid	process
844	a5c53ee866d51d6af63e79e7c37e9871.exe

pid	process
844	a5c53ee866d51d6af63e79e7c37e9871.exe
544	rawetrip.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

rawetrip.exe

description	pid	process
Token: SeDebugPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe
Token: 33	544	rawetrip.exe
Token: SeIncBasePriorityPrivilege	544	rawetrip.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a5c53ee866d51d6af63e79e7c37e9871.exe

description	pid	process	target process
PID 844 wrote to memory of 544	844	a5c53ee866d51d6af63e79e7c37e9871.exe	rawetrip.exe
PID 844 wrote to memory of 544	844	a5c53ee866d51d6af63e79e7c37e9871.exe	rawetrip.exe
PID 844 wrote to memory of 544	844	a5c53ee866d51d6af63e79e7c37e9871.exe	rawetrip.exe
PID 844 wrote to memory of 544	844	a5c53ee866d51d6af63e79e7c37e9871.exe	rawetrip.exe

C:\Users\Admin\AppData\Local\Temp\a5c53ee866d51d6af63e79e7c37e9871.exe
"C:\Users\Admin\AppData\Local\Temp\a5c53ee866d51d6af63e79e7c37e9871.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Roaming\rawetrip.exe
"C:\Users\Admin\AppData\Roaming\rawetrip.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rawetrip.exe

MD5
a5c53ee866d51d6af63e79e7c37e9871

SHA1
45284d2633c196757c2b7bba35246a30dbc20454

SHA256
9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6

SHA512
c08242a988ca7668ebcb6ea9235655ea17670325b4912189e2723728f85878da58e495d1f455c1d06466ed7acec036fb12a4a040fb7866403adae7c9cb7603dc

Download Submit
C:\Users\Admin\AppData\Roaming\rawetrip.exe

MD5
a5c53ee866d51d6af63e79e7c37e9871

SHA1
45284d2633c196757c2b7bba35246a30dbc20454

SHA256
9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6

SHA512
c08242a988ca7668ebcb6ea9235655ea17670325b4912189e2723728f85878da58e495d1f455c1d06466ed7acec036fb12a4a040fb7866403adae7c9cb7603dc

Download Submit
\Users\Admin\AppData\Roaming\rawetrip.exe

MD5
a5c53ee866d51d6af63e79e7c37e9871

SHA1
45284d2633c196757c2b7bba35246a30dbc20454

SHA256
9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6

SHA512
c08242a988ca7668ebcb6ea9235655ea17670325b4912189e2723728f85878da58e495d1f455c1d06466ed7acec036fb12a4a040fb7866403adae7c9cb7603dc

Download Submit
memory/544-58-0x0000000000000000-mapping.dmp

Download
memory/544-61-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/544-63-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/844-53-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/844-55-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/844-56-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing