njrat | b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866

General

Target

7f806c97ab68106ea238c1e5bc906388.exe
Size

8KB
MD5

7f806c97ab68106ea238c1e5bc906388
SHA1

571e34bda90b0194f6c7bc353e5c0c56a7143d38
SHA256

b757bd1c8c93b75204ca653d5b602e98f1b3a174a1657f185dd4794fda4a2866
SHA512

e1b998d4b1f3786d711bf647615787082fd907ca1c50c9731cb2eea843da85b33cc04ec1bf60b22693ced7acc392dd5c09f496b1cfcab3e2ed50c85a290d13c9

Score

10^/10

njrat furios evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Furios

C2

gghosting221.ddns.net:6202

Mutex

5f458dd5f03f50e31781ca69de125d55

Attributes

reg_key
5f458dd5f03f50e31781ca69de125d55
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

WindowsUser.exe

pid process

1640 WindowsUser.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1640	WindowsUser.exe

Drops startup file 2 IoCs

Processes:

WindowsUser.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f458dd5f03f50e31781ca69de125d55.exe	WindowsUser.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f458dd5f03f50e31781ca69de125d55.exe	WindowsUser.exe

Loads dropped DLL 1 IoCs

Processes:

7f806c97ab68106ea238c1e5bc906388.exe

pid process

1628 7f806c97ab68106ea238c1e5bc906388.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7f806c97ab68106ea238c1e5bc906388.exeWindowsUser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyTestApplication = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7f806c97ab68106ea238c1e5bc906388.exe"	7f806c97ab68106ea238c1e5bc906388.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\5f458dd5f03f50e31781ca69de125d55 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUser.exe\" .."	WindowsUser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5f458dd5f03f50e31781ca69de125d55 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUser.exe\" .."	WindowsUser.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1816 taskkill.exe

pid	process
1816	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7f806c97ab68106ea238c1e5bc906388.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	7f806c97ab68106ea238c1e5bc906388.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	7f806c97ab68106ea238c1e5bc906388.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7f806c97ab68106ea238c1e5bc906388.exeWindowsUser.exe

pid	process
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1640	WindowsUser.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1628	7f806c97ab68106ea238c1e5bc906388.exe
1640	WindowsUser.exe
1640	WindowsUser.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WindowsUser.exe

pid process

1640 WindowsUser.exe

pid	process
1640	WindowsUser.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

7f806c97ab68106ea238c1e5bc906388.exetaskkill.exeWindowsUser.exe

description	pid	process
Token: SeDebugPrivilege	1628	7f806c97ab68106ea238c1e5bc906388.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe
Token: 33	1640	WindowsUser.exe
Token: SeIncBasePriorityPrivilege	1640	WindowsUser.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7f806c97ab68106ea238c1e5bc906388.exeWindowsUser.exe

description	pid	process	target process
PID 1628 wrote to memory of 1640	1628	7f806c97ab68106ea238c1e5bc906388.exe	WindowsUser.exe
PID 1628 wrote to memory of 1640	1628	7f806c97ab68106ea238c1e5bc906388.exe	WindowsUser.exe
PID 1628 wrote to memory of 1640	1628	7f806c97ab68106ea238c1e5bc906388.exe	WindowsUser.exe
PID 1628 wrote to memory of 1640	1628	7f806c97ab68106ea238c1e5bc906388.exe	WindowsUser.exe
PID 1640 wrote to memory of 1972	1640	WindowsUser.exe	netsh.exe
PID 1640 wrote to memory of 1972	1640	WindowsUser.exe	netsh.exe
PID 1640 wrote to memory of 1972	1640	WindowsUser.exe	netsh.exe
PID 1640 wrote to memory of 1972	1640	WindowsUser.exe	netsh.exe
PID 1640 wrote to memory of 1816	1640	WindowsUser.exe	taskkill.exe
PID 1640 wrote to memory of 1816	1640	WindowsUser.exe	taskkill.exe
PID 1640 wrote to memory of 1816	1640	WindowsUser.exe	taskkill.exe
PID 1640 wrote to memory of 1816	1640	WindowsUser.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7f806c97ab68106ea238c1e5bc906388.exe
"C:\Users\Admin\AppData\Local\Temp\7f806c97ab68106ea238c1e5bc906388.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe" "WindowsUser.exe" ENABLE
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Exsample.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsUser.exe

MD5
e56578ff67914010aa9f663876b66c4a

SHA1
802b5d9f5be9fb8213b97567ebc1910e85ddd20f

SHA256
fc89c98b5be515bcbd365c74a9f4026d2d8dce04f9bc6255cc327b971c0bd407

SHA512
756b0fdfca550346207ddd292f6fa57d4db2e0207850dd9651edc341e716f80102ff6e8bdcf8fc000ce8535a1439c529b57d26313b58ad8613d99a978c17caf3

Download Submit
memory/1628-54-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/1628-55-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/1628-56-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/1640-58-0x0000000000000000-mapping.dmp

Download
memory/1640-61-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1640-62-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1816-64-0x0000000000000000-mapping.dmp

Download
memory/1972-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads