njrat | d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315

General

Target

d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe
Size

2.9MB
MD5

bec34a052aa8082d10b8da33fe7883e4
SHA1

e3f02cd8ca16879049e2e1e851432c200243dff0
SHA256

d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315
SHA512

2c0718e139b214cdfe50030a49f557e4696131fcdf4c524fc8a08681f480862b6d5c3f4188130491d84eb58cf9276f371ab05fd2b2e063799aa6a4bd0a12bd3a

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Windows\CloudFlare.exe	disable_win_def
C:\Windows\CloudFlare.exe	disable_win_def
behavioral1/memory/812-76-0x0000000000D50000-0x0000000000D68000-memory.dmp	disable_win_def
behavioral1/memory/812-77-0x0000000000D50000-0x0000000000D68000-memory.dmp	disable_win_def

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\CloudFlare.exe	family_stormkitty
C:\Windows\CloudFlare.exe	family_stormkitty
behavioral1/memory/812-76-0x0000000000D50000-0x0000000000D68000-memory.dmp	family_stormkitty
behavioral1/memory/812-77-0x0000000000D50000-0x0000000000D68000-memory.dmp	family_stormkitty

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

CloudFlare.exeMsMpWindowsHeandler.exeMsMpWindowsHeandler.exeZeusDDoS.exe

pid process

812 CloudFlare.exe
1304 MsMpWindowsHeandler.exe
744 MsMpWindowsHeandler.exe
1860 ZeusDDoS.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

pid	process
812	CloudFlare.exe
1304	MsMpWindowsHeandler.exe
744	MsMpWindowsHeandler.exe
1860	ZeusDDoS.exe

flow	ioc
4	checkip.dyndns.org

Drops file in Windows directory 4 IoCs

Processes:

d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe

description	ioc	process
File created	C:\Windows\ZeusDDoS.exe	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe
File created	C:\Windows\CloudFlare.exe	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe
File created	C:\Windows\MsMpWindowsHeandler.exe	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe
File opened for modification	C:\Windows\MsMpWindowsHeandler.exe	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1920 812 WerFault.exe CloudFlare.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe

pid process

964 powershell.exe
924 powershell.exe
1920 WerFault.exe
1920 WerFault.exe
1920 WerFault.exe
1920 WerFault.exe
1920 WerFault.exe

pid	pid_target	process	target process
1920	812	WerFault.exe	CloudFlare.exe

pid	process
964	powershell.exe
924	powershell.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeCloudFlare.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	812	CloudFlare.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1920	WerFault.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.execmd.execmd.execmd.execmd.execmd.exeCloudFlare.exe

description	pid	process	target process
PID 600 wrote to memory of 1588	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 1588	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 1588	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 1588	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 1688	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 1688	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 1688	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 1688	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 520	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 520	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 520	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 520	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 720	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 720	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 720	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 720	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 564	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 564	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 564	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 600 wrote to memory of 564	600	d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe	cmd.exe
PID 1688 wrote to memory of 1860	1688	cmd.exe	ZeusDDoS.exe
PID 1688 wrote to memory of 1860	1688	cmd.exe	ZeusDDoS.exe
PID 1688 wrote to memory of 1860	1688	cmd.exe	ZeusDDoS.exe
PID 1688 wrote to memory of 1860	1688	cmd.exe	ZeusDDoS.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 964	1588	cmd.exe	powershell.exe
PID 520 wrote to memory of 812	520	cmd.exe	CloudFlare.exe
PID 520 wrote to memory of 812	520	cmd.exe	CloudFlare.exe
PID 520 wrote to memory of 812	520	cmd.exe	CloudFlare.exe
PID 520 wrote to memory of 812	520	cmd.exe	CloudFlare.exe
PID 564 wrote to memory of 744	564	cmd.exe	MsMpWindowsHeandler.exe
PID 564 wrote to memory of 744	564	cmd.exe	MsMpWindowsHeandler.exe
PID 564 wrote to memory of 744	564	cmd.exe	MsMpWindowsHeandler.exe
PID 564 wrote to memory of 744	564	cmd.exe	MsMpWindowsHeandler.exe
PID 720 wrote to memory of 1304	720	cmd.exe	MsMpWindowsHeandler.exe
PID 720 wrote to memory of 1304	720	cmd.exe	MsMpWindowsHeandler.exe
PID 720 wrote to memory of 1304	720	cmd.exe	MsMpWindowsHeandler.exe
PID 720 wrote to memory of 1304	720	cmd.exe	MsMpWindowsHeandler.exe
PID 1588 wrote to memory of 924	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 924	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 924	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 924	1588	cmd.exe	powershell.exe
PID 812 wrote to memory of 1920	812	CloudFlare.exe	WerFault.exe
PID 812 wrote to memory of 1920	812	CloudFlare.exe	WerFault.exe
PID 812 wrote to memory of 1920	812	CloudFlare.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe
"C:\Users\Admin\AppData\Local\Temp\d744acfd989c900314f9e1bced18aaae5cdef2dde15a98512842c43f47afc315.bin.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\ZeusDDoS.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\ZeusDDoS.exe
C:\Windows\ZeusDDoS.exe
3⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\CloudFlare.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\CloudFlare.exe
C:\Windows\CloudFlare.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 812 -s 1008
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\MsMpWindowsHeandler.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\MsMpWindowsHeandler.exe
C:\Windows\MsMpWindowsHeandler.exe
3⤵
- Executes dropped EXE
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\MsMpWindowsHeandler.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\MsMpWindowsHeandler.exe
C:\Windows\MsMpWindowsHeandler.exe
3⤵
- Executes dropped EXE
PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
64de70d4a5f8646b471bc4f2e36a3efe

SHA1
e68ff239e69538ae3762017ab1092b3574fa791c

SHA256
cf63db9bb7e813966c9fb32271123b8a7d8114fe15abfbc2354110cf7077a6f8

SHA512
9478d6146cc2ad4f2e7255eb01831306e433b46006c0fe0f6d92d3b1180a354cf56a6eb354403c64d96e9827a4562882082e24d743d5266ac7486aa5a21612ee

Download Submit
C:\Windows\CloudFlare.exe

MD5
d421d8dd515105167c2926aa42124568

SHA1
084d4c88b4c4f694e8da3225ceea7742c5fae432

SHA256
8f72b2bbf97a75afcdfdd21c91fd76cb0b115c475799bcd17c7659b7ec302220

SHA512
c40806175298fbc32af23f18bff4ed8d170769ea391d37195a7e6b31e568714ac700ce8333b20a10cee6d2e01ad45b468960ad003a528e73d9f6d57097e2cc87

Download Submit
C:\Windows\CloudFlare.exe

MD5
d421d8dd515105167c2926aa42124568

SHA1
084d4c88b4c4f694e8da3225ceea7742c5fae432

SHA256
8f72b2bbf97a75afcdfdd21c91fd76cb0b115c475799bcd17c7659b7ec302220

SHA512
c40806175298fbc32af23f18bff4ed8d170769ea391d37195a7e6b31e568714ac700ce8333b20a10cee6d2e01ad45b468960ad003a528e73d9f6d57097e2cc87

Download Submit
C:\Windows\MsMpWindowsHeandler.exe

MD5
588801cb97eff4329e719e8f59b41a40

SHA1
ca54598ec9d632489d05c705ce26314aa494069a

SHA256
5a6a74294c6563b71a16f2c8877ae056d8403d7b7a745357365375396758b96f

SHA512
0d4ffb5afc76ada34e9279cedef15022310003b26b5f6218f89f62853154914c2725088fa49ad9face499114a75187352ee9647e547d3347b1e36a0fb962b24f

Download Submit
C:\Windows\MsMpWindowsHeandler.exe

MD5
588801cb97eff4329e719e8f59b41a40

SHA1
ca54598ec9d632489d05c705ce26314aa494069a

SHA256
5a6a74294c6563b71a16f2c8877ae056d8403d7b7a745357365375396758b96f

SHA512
0d4ffb5afc76ada34e9279cedef15022310003b26b5f6218f89f62853154914c2725088fa49ad9face499114a75187352ee9647e547d3347b1e36a0fb962b24f

Download Submit
C:\Windows\MsMpWindowsHeandler.exe

MD5
588801cb97eff4329e719e8f59b41a40

SHA1
ca54598ec9d632489d05c705ce26314aa494069a

SHA256
5a6a74294c6563b71a16f2c8877ae056d8403d7b7a745357365375396758b96f

SHA512
0d4ffb5afc76ada34e9279cedef15022310003b26b5f6218f89f62853154914c2725088fa49ad9face499114a75187352ee9647e547d3347b1e36a0fb962b24f

Download Submit
C:\Windows\ZeusDDoS.exe

MD5
7baebb48d7fb4be4449089d37af39b7a

SHA1
1d9670a90c9f821418f38fa3b16e49a04ab7018a

SHA256
00839950ef5fca43bdc79dbc1e8af106063ac556dea2d58e8f65ac230d7d0e3e

SHA512
f91f6ca68218a6af9f303a19d974df17fc14af6a83272e9425f444f6488fc7f25b61bbae0ad0e47980d623b28f8aa8ce09ec76b5d504aeee736bb9838a83d8a9

Download Submit
C:\Windows\ZeusDDoS.exe

MD5
7baebb48d7fb4be4449089d37af39b7a

SHA1
1d9670a90c9f821418f38fa3b16e49a04ab7018a

SHA256
00839950ef5fca43bdc79dbc1e8af106063ac556dea2d58e8f65ac230d7d0e3e

SHA512
f91f6ca68218a6af9f303a19d974df17fc14af6a83272e9425f444f6488fc7f25b61bbae0ad0e47980d623b28f8aa8ce09ec76b5d504aeee736bb9838a83d8a9

Download Submit
memory/520-56-0x0000000000000000-mapping.dmp

Download
memory/564-58-0x0000000000000000-mapping.dmp

Download
memory/720-57-0x0000000000000000-mapping.dmp

Download
memory/744-66-0x0000000000000000-mapping.dmp

Download
memory/744-79-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/812-76-0x0000000000D50000-0x0000000000D68000-memory.dmp

Filesize
96KB

Download
memory/812-82-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/812-62-0x0000000000000000-mapping.dmp

Download
memory/812-77-0x0000000000D50000-0x0000000000D68000-memory.dmp

Filesize
96KB

Download
memory/924-86-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/924-88-0x0000000002402000-0x0000000002404000-memory.dmp

Filesize
8KB

Download
memory/924-83-0x0000000000000000-mapping.dmp

Download
memory/924-87-0x0000000002401000-0x0000000002402000-memory.dmp

Filesize
4KB

Download
memory/964-71-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/964-61-0x0000000000000000-mapping.dmp

Download
memory/964-80-0x0000000002540000-0x000000000318A000-memory.dmp

Filesize
12.3MB

Download
memory/1304-67-0x0000000000000000-mapping.dmp

Download
memory/1304-78-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1588-54-0x0000000000000000-mapping.dmp

Download
memory/1688-55-0x0000000000000000-mapping.dmp

Download
memory/1860-81-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1860-75-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/1860-74-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/1860-60-0x0000000000000000-mapping.dmp

Download
memory/1860-89-0x0000000004C45000-0x0000000004C56000-memory.dmp

Filesize
68KB

Download
memory/1920-90-0x0000000000000000-mapping.dmp

Download
memory/1920-91-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1920-92-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads