njrat | 9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6

General

Target

9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe
Size

43KB
MD5

a5c53ee866d51d6af63e79e7c37e9871
SHA1

45284d2633c196757c2b7bba35246a30dbc20454
SHA256

9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6
SHA512

c08242a988ca7668ebcb6ea9235655ea17670325b4912189e2723728f85878da58e495d1f455c1d06466ed7acec036fb12a4a040fb7866403adae7c9cb7603dc

Score

10^/10

njrat hacked suricata trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

6.tcp.ngrok.io:17656

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

rawetrip.exe

pid process

3540 rawetrip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exerawetrip.exe

pid process

2520 9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe
3540 rawetrip.exe

pid	process
3540	rawetrip.exe

pid	process
2520	9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe
3540	rawetrip.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

rawetrip.exe

description	pid	process
Token: SeDebugPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe
Token: 33	3540	rawetrip.exe
Token: SeIncBasePriorityPrivilege	3540	rawetrip.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe

description	pid	process	target process
PID 2520 wrote to memory of 3540	2520	9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe	rawetrip.exe
PID 2520 wrote to memory of 3540	2520	9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe	rawetrip.exe
PID 2520 wrote to memory of 3540	2520	9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe	rawetrip.exe

C:\Users\Admin\AppData\Local\Temp\9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe
"C:\Users\Admin\AppData\Local\Temp\9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Roaming\rawetrip.exe
"C:\Users\Admin\AppData\Roaming\rawetrip.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rawetrip.exe

MD5
a5c53ee866d51d6af63e79e7c37e9871

SHA1
45284d2633c196757c2b7bba35246a30dbc20454

SHA256
9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6

SHA512
c08242a988ca7668ebcb6ea9235655ea17670325b4912189e2723728f85878da58e495d1f455c1d06466ed7acec036fb12a4a040fb7866403adae7c9cb7603dc

Download Submit
C:\Users\Admin\AppData\Roaming\rawetrip.exe

MD5
a5c53ee866d51d6af63e79e7c37e9871

SHA1
45284d2633c196757c2b7bba35246a30dbc20454

SHA256
9dd8cb6a13209dd543925a620620d23fb74f5e615c0cd6b3a7c0b208f9fcbeb6

SHA512
c08242a988ca7668ebcb6ea9235655ea17670325b4912189e2723728f85878da58e495d1f455c1d06466ed7acec036fb12a4a040fb7866403adae7c9cb7603dc

Download Submit
memory/2520-115-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2520-117-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2520-118-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2520-119-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2520-120-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3540-121-0x0000000000000000-mapping.dmp

Download
memory/3540-129-0x00000000053F0000-0x000000000548C000-memory.dmp

Filesize
624KB

Download
memory/3540-130-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3540-131-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3540-132-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing