njrat | 742e7b3fa903eb64cb3160861636df034123fdfecb271da1235703d246ade55f

General

Target

#93874654.exe
Size

300.0MB
MD5

a7328c9dba8e429ee5e171a661505137
SHA1

f637c4df8840fb7cc8fa93e925294145cab91457
SHA256

6248199255f4525503101e01e38d60fda27ee9bcc72a74a817dc1d01596d2a9b
SHA512

139c83862561881e328084d813509518fa353d07b532549cf93e7bed9151b137a9239b1c8e2162c85e4956bf327efb847a9643177cbf88cde89634779ddb2ca2

Score

10^/10

njrat hacked evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

Adobe.exe

pid process

1060 Adobe.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1060	Adobe.exe

Drops startup file 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.Exe	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.Exe	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\" .."	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\" .."	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

#93874654.exeAdobe.exe

description	pid	process	target process
PID 528 set thread context of 460	528	#93874654.exe	RegAsm.exe
PID 1060 set thread context of 884	1060	Adobe.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1800 schtasks.exe
1604 schtasks.exe

pid	process
1800	schtasks.exe
1604	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

#93874654.exeRegAsm.exeAdobe.exe

description	pid	process
Token: SeDebugPrivilege	528	#93874654.exe
Token: SeDebugPrivilege	460	RegAsm.exe
Token: 33	460	RegAsm.exe
Token: SeIncBasePriorityPrivilege	460	RegAsm.exe
Token: SeDebugPrivilege	1060	Adobe.exe
Token: 33	460	RegAsm.exe
Token: SeIncBasePriorityPrivilege	460	RegAsm.exe
Token: 33	460	RegAsm.exe
Token: SeIncBasePriorityPrivilege	460	RegAsm.exe
Token: 33	460	RegAsm.exe
Token: SeIncBasePriorityPrivilege	460	RegAsm.exe
Token: 33	460	RegAsm.exe
Token: SeIncBasePriorityPrivilege	460	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

#93874654.execmd.exeRegAsm.exetaskeng.exeAdobe.execmd.exe

description	pid	process	target process
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 460	528	#93874654.exe	RegAsm.exe
PID 528 wrote to memory of 916	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 916	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 916	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 916	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1992	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1992	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1992	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1992	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1968	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1968	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1968	528	#93874654.exe	cmd.exe
PID 528 wrote to memory of 1968	528	#93874654.exe	cmd.exe
PID 1992 wrote to memory of 1800	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 1800	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 1800	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 1800	1992	cmd.exe	schtasks.exe
PID 460 wrote to memory of 1488	460	RegAsm.exe	netsh.exe
PID 460 wrote to memory of 1488	460	RegAsm.exe	netsh.exe
PID 460 wrote to memory of 1488	460	RegAsm.exe	netsh.exe
PID 460 wrote to memory of 1488	460	RegAsm.exe	netsh.exe
PID 1912 wrote to memory of 1060	1912	taskeng.exe	Adobe.exe
PID 1912 wrote to memory of 1060	1912	taskeng.exe	Adobe.exe
PID 1912 wrote to memory of 1060	1912	taskeng.exe	Adobe.exe
PID 1912 wrote to memory of 1060	1912	taskeng.exe	Adobe.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 884	1060	Adobe.exe	RegAsm.exe
PID 1060 wrote to memory of 1408	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1408	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1408	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1408	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1716	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1716	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1716	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1716	1060	Adobe.exe	cmd.exe
PID 1716 wrote to memory of 1604	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 1604	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 1604	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 1604	1716	cmd.exe	schtasks.exe
PID 1060 wrote to memory of 1528	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1528	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1528	1060	Adobe.exe	cmd.exe
PID 1060 wrote to memory of 1528	1060	Adobe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\#93874654.exe
"C:\Users\Admin\AppData\Local\Temp\#93874654.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE
3⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Adobe"
2⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\#93874654.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe"
2⤵
PID:1968

C:\Windows\system32\taskeng.exe
taskeng.exe {915EABE6-8B86-4786-ADE6-6DC23473029D} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe
C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Adobe"
3⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe"
3⤵
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe
MD5
a7328c9dba8e429ee5e171a661505137

SHA1
f637c4df8840fb7cc8fa93e925294145cab91457

SHA256
6248199255f4525503101e01e38d60fda27ee9bcc72a74a817dc1d01596d2a9b

SHA512
139c83862561881e328084d813509518fa353d07b532549cf93e7bed9151b137a9239b1c8e2162c85e4956bf327efb847a9643177cbf88cde89634779ddb2ca2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe.exe
MD5
a7328c9dba8e429ee5e171a661505137

SHA1
f637c4df8840fb7cc8fa93e925294145cab91457

SHA256
6248199255f4525503101e01e38d60fda27ee9bcc72a74a817dc1d01596d2a9b

SHA512
139c83862561881e328084d813509518fa353d07b532549cf93e7bed9151b137a9239b1c8e2162c85e4956bf327efb847a9643177cbf88cde89634779ddb2ca2

Download Submit
memory/460-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/460-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/460-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/460-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/460-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/460-65-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/528-54-0x0000000001340000-0x00000000013E8000-memory.dmp

Filesize
672KB

Download
memory/528-56-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/528-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1060-68-0x0000000001140000-0x00000000011E8000-memory.dmp

Filesize
672KB

Download
memory/1060-69-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads