njrat | fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

General

Target

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
Size

194KB
MD5

1bdd22a17a650cff37601bfb7ff5de58
SHA1

728fc6952f1d038bd1fdf01b44c4af05e363a4bb
SHA256

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627
SHA512

6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Score

10^/10

njrat vistima trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

VISTIMA

C2

trabajo2019.duckdns.org:2020

Mutex

ef4f7f28c949781a94b69311553c83e5

Attributes

reg_key
ef4f7f28c949781a94b69311553c83e5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

1324 server.exe
1060 server.exe
Loads dropped DLL 2 IoCs

Processes:

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exeserver.exe

pid process

324 fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
1324 server.exe

pid	process
1324	server.exe
1060	server.exe

pid	process
324	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
1324	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exeserver.exe

description	pid	process	target process
PID 1552 set thread context of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1324 set thread context of 1060	1324	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

812 schtasks.exe
2012 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

server.exe

pid process

1324 server.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

server.exe

description pid process

Token: SeDebugPrivilege 1324 server.exe

pid	process
812	schtasks.exe
2012	schtasks.exe

pid	process
1324	server.exe

description	pid	process
Token: SeDebugPrivilege	1324	server.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exefdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exeserver.exe

description	pid	process	target process
PID 1552 wrote to memory of 812	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	schtasks.exe
PID 1552 wrote to memory of 812	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	schtasks.exe
PID 1552 wrote to memory of 812	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	schtasks.exe
PID 1552 wrote to memory of 812	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	schtasks.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1552 wrote to memory of 324	1552	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 324 wrote to memory of 1324	324	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	server.exe
PID 324 wrote to memory of 1324	324	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	server.exe
PID 324 wrote to memory of 1324	324	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	server.exe
PID 324 wrote to memory of 1324	324	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	server.exe
PID 1324 wrote to memory of 2012	1324	server.exe	schtasks.exe
PID 1324 wrote to memory of 2012	1324	server.exe	schtasks.exe
PID 1324 wrote to memory of 2012	1324	server.exe	schtasks.exe
PID 1324 wrote to memory of 2012	1324	server.exe	schtasks.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe
PID 1324 wrote to memory of 1060	1324	server.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
"C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sLniLRUBtoiL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp384F.tmp"
2⤵
- Creates scheduled task(s)
PID:812

C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
"C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sLniLRUBtoiL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp"
4⤵
- Creates scheduled task(s)
PID:2012

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
PID:1060

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp384F.tmp
MD5
222fbafb4aed885249ac591a5358fd1d

SHA1
6ee8a3a8ffaebc79aa441677853cc28bab747c0a

SHA256
be984697bdc453da4654ccbc7098c724c98dce4d298ff535acbe50ee1d557559

SHA512
57e9ef7e7bc063cadd88963b25b5fd21bd98e12f535230063ddc0f98bf54d7c99a4e373cc002c866b01e33efa89f05e41bbd26e85d4b13a51561e4eee0ed6b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp
MD5
222fbafb4aed885249ac591a5358fd1d

SHA1
6ee8a3a8ffaebc79aa441677853cc28bab747c0a

SHA256
be984697bdc453da4654ccbc7098c724c98dce4d298ff535acbe50ee1d557559

SHA512
57e9ef7e7bc063cadd88963b25b5fd21bd98e12f535230063ddc0f98bf54d7c99a4e373cc002c866b01e33efa89f05e41bbd26e85d4b13a51561e4eee0ed6b7f

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
memory/324-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/324-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/324-64-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/324-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/324-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/324-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1060-80-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1324-69-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1324-70-0x00000000022C1000-0x00000000022C2000-memory.dmp

Filesize
4KB

Download
memory/1552-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1552-56-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/1552-55-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads