njrat | 6b6c079401e47ab7c10a16fec31f9e330b3730f0e9f925caa43368b95a421b5e

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-en-20211208
submitted
22-12-2021 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28f74c18bf85bea722d915ee65f5f1c.exe
Size

7.2MB
MD5

b28f74c18bf85bea722d915ee65f5f1c
SHA1

fff14f1641964aa645eb79d8e85786b6bbc42664
SHA256

6b6c079401e47ab7c10a16fec31f9e330b3730f0e9f925caa43368b95a421b5e
SHA512

3b1eaa9ed38fd4498d92b66f048509be96376bbd1384c3bfa2471786ff395a95c87b64d6b6e730c91a56ac1afd1ba76bba01d4f30470e426f972e702be881825

Score

10^/10

njrat user evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

user

6.tcp.ngrok.io:18635

Mutex

f1772f647278bebfd846fd1a1dc56683

Attributes

reg_key
f1772f647278bebfd846fd1a1dc56683
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Client.exeCG_Loader.exe

pid process

1896 Client.exe
472 CG_Loader.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1896	Client.exe
472	CG_Loader.exe

Loads dropped DLL 7 IoCs

Processes:

b28f74c18bf85bea722d915ee65f5f1c.exeWerFault.exe

pid	process
1584	b28f74c18bf85bea722d915ee65f5f1c.exe
1584	b28f74c18bf85bea722d915ee65f5f1c.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1048 472 WerFault.exe CG_Loader.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1048 WerFault.exe
1048 WerFault.exe
1048 WerFault.exe
1048 WerFault.exe
1048 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1048 WerFault.exe

pid	pid_target	process	target process
1048	472	WerFault.exe	CG_Loader.exe

pid	process
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe

pid	process
1048	WerFault.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

WerFault.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1048	WerFault.exe
Token: SeDebugPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe
Token: 33	1896	Client.exe
Token: SeIncBasePriorityPrivilege	1896	Client.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b28f74c18bf85bea722d915ee65f5f1c.exeClient.exeCG_Loader.exe

description	pid	process	target process
PID 1584 wrote to memory of 1896	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	Client.exe
PID 1584 wrote to memory of 1896	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	Client.exe
PID 1584 wrote to memory of 1896	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	Client.exe
PID 1584 wrote to memory of 1896	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	Client.exe
PID 1584 wrote to memory of 472	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	CG_Loader.exe
PID 1584 wrote to memory of 472	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	CG_Loader.exe
PID 1584 wrote to memory of 472	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	CG_Loader.exe
PID 1584 wrote to memory of 472	1584	b28f74c18bf85bea722d915ee65f5f1c.exe	CG_Loader.exe
PID 1896 wrote to memory of 1012	1896	Client.exe	netsh.exe
PID 1896 wrote to memory of 1012	1896	Client.exe	netsh.exe
PID 1896 wrote to memory of 1012	1896	Client.exe	netsh.exe
PID 1896 wrote to memory of 1012	1896	Client.exe	netsh.exe
PID 472 wrote to memory of 1048	472	CG_Loader.exe	WerFault.exe
PID 472 wrote to memory of 1048	472	CG_Loader.exe	WerFault.exe
PID 472 wrote to memory of 1048	472	CG_Loader.exe	WerFault.exe
PID 472 wrote to memory of 1048	472	CG_Loader.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b28f74c18bf85bea722d915ee65f5f1c.exe
"C:\Users\Admin\AppData\Local\Temp\b28f74c18bf85bea722d915ee65f5f1c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Client.exe" "Client.exe" ENABLE
3⤵
PID:1012

C:\Users\Admin\AppData\Roaming\CG_Loader.exe
"C:\Users\Admin\AppData\Roaming\CG_Loader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 752
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
C:\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

MD5
45a24a0d8c376cf9bbf480e818f53f61

SHA1
2871bf6c8085d4082239569e3b9e95337a3035b9

SHA256
82a896fe010d5a29f47a2971d5323e1d21886d4a68820f5fe1dbd640035a4a32

SHA512
afe73679cec54fc328ff62ebf92abb6f060ba108c5527b91c8423352e39e0a110a986b4826083a429ad91f4f1d301b20fdd9b91003c8606108508281250864c4

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

MD5
45a24a0d8c376cf9bbf480e818f53f61

SHA1
2871bf6c8085d4082239569e3b9e95337a3035b9

SHA256
82a896fe010d5a29f47a2971d5323e1d21886d4a68820f5fe1dbd640035a4a32

SHA512
afe73679cec54fc328ff62ebf92abb6f060ba108c5527b91c8423352e39e0a110a986b4826083a429ad91f4f1d301b20fdd9b91003c8606108508281250864c4

Download Submit
\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
\Users\Admin\AppData\Roaming\Client.exe

MD5
45a24a0d8c376cf9bbf480e818f53f61

SHA1
2871bf6c8085d4082239569e3b9e95337a3035b9

SHA256
82a896fe010d5a29f47a2971d5323e1d21886d4a68820f5fe1dbd640035a4a32

SHA512
afe73679cec54fc328ff62ebf92abb6f060ba108c5527b91c8423352e39e0a110a986b4826083a429ad91f4f1d301b20fdd9b91003c8606108508281250864c4

Download Submit
memory/472-61-0x0000000000000000-mapping.dmp

Download
memory/472-67-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/472-68-0x00000000087D0000-0x00000000091BE000-memory.dmp

Filesize
9.9MB

Download
memory/472-65-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1012-69-0x0000000000000000-mapping.dmp

Download
memory/1048-71-0x0000000000000000-mapping.dmp

Download
memory/1048-77-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1584-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1584-54-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1896-64-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1896-56-0x0000000000000000-mapping.dmp

Download