njrat | fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

General

Target

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
Size

194KB
MD5

1bdd22a17a650cff37601bfb7ff5de58
SHA1

728fc6952f1d038bd1fdf01b44c4af05e363a4bb
SHA256

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627
SHA512

6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Score

10^/10

njrat vistima trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

VISTIMA

C2

trabajo2019.duckdns.org:2020

Mutex

ef4f7f28c949781a94b69311553c83e5

Attributes

reg_key
ef4f7f28c949781a94b69311553c83e5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

server.exeserver.exeserver.exe

pid process

3188 server.exe
808 server.exe
828 server.exe

pid	process
3188	server.exe
808	server.exe
828	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exeserver.exe

description	pid	process	target process
PID 3208 set thread context of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3188 set thread context of 828	3188	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1496 schtasks.exe
3076 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exeserver.exe

pid process

3208 fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
3188 server.exe
3188 server.exe
3188 server.exe

pid	process
1496	schtasks.exe
3076	schtasks.exe

pid	process
3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
3188	server.exe
3188	server.exe
3188	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
Token: SeDebugPrivilege	3188	server.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exefdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exeserver.exe

description	pid	process	target process
PID 3208 wrote to memory of 1496	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	schtasks.exe
PID 3208 wrote to memory of 1496	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	schtasks.exe
PID 3208 wrote to memory of 1496	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	schtasks.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 3208 wrote to memory of 1108	3208	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
PID 1108 wrote to memory of 3188	1108	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	server.exe
PID 1108 wrote to memory of 3188	1108	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	server.exe
PID 1108 wrote to memory of 3188	1108	fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe	server.exe
PID 3188 wrote to memory of 3076	3188	server.exe	schtasks.exe
PID 3188 wrote to memory of 3076	3188	server.exe	schtasks.exe
PID 3188 wrote to memory of 3076	3188	server.exe	schtasks.exe
PID 3188 wrote to memory of 808	3188	server.exe	server.exe
PID 3188 wrote to memory of 808	3188	server.exe	server.exe
PID 3188 wrote to memory of 808	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe
PID 3188 wrote to memory of 828	3188	server.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
"C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sLniLRUBtoiL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1024.tmp"
2⤵
- Creates scheduled task(s)
PID:1496

C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe
"C:\Users\Admin\AppData\Local\Temp\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sLniLRUBtoiL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp155F.tmp"
4⤵
- Creates scheduled task(s)
PID:3076

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
PID:808

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627.exe.log

MD5
040fd57b5b86666596a5b3aa2002cf64

SHA1
c8d3a3fb89157c7834a8a9c24e78dcb84795fd01

SHA256
0e61f93179dc2ac86a5bace7f556d7a8c54c5793a0d075fafb4bb43e439660d1

SHA512
a1eb0939b073484d39133f20dce1d40030472b1241aa32da3388c1433175f321c5557382e2bfbd95d24e783e12fc8f55c9adf833ef97bb356017defc73b1b3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

MD5
040fd57b5b86666596a5b3aa2002cf64

SHA1
c8d3a3fb89157c7834a8a9c24e78dcb84795fd01

SHA256
0e61f93179dc2ac86a5bace7f556d7a8c54c5793a0d075fafb4bb43e439660d1

SHA512
a1eb0939b073484d39133f20dce1d40030472b1241aa32da3388c1433175f321c5557382e2bfbd95d24e783e12fc8f55c9adf833ef97bb356017defc73b1b3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
1bdd22a17a650cff37601bfb7ff5de58

SHA1
728fc6952f1d038bd1fdf01b44c4af05e363a4bb

SHA256
fdf4af9ad999272ebf9fa0c1d3c374615e2c8f2a5a5598f9d3ad1a0f3fd5a627

SHA512
6e7f19d4ff5709a4eccad60005c7c0d466ec395bb0a87da3ccedbea0a5bee2d2098165d3e765f06a1e2cb76387454397a2a68280b3f15a9c50ce2eb6e5c8e3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1024.tmp

MD5
1547bc72806ca9a29e05c911ae5ca7ea

SHA1
602a0e304d16fae9117af78611dac454fcd2d847

SHA256
12131697260b0ec21e482028f466f4845bbb756bc30aa53ae81be909183bb5a1

SHA512
2624608035446ece51fad079ac82d83f8a7a055b1e33e5bfc278f53bf0963f76bd6325dcb6dd848473581657908b244aebabaaba35198b389dc94b0da300cc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp155F.tmp

MD5
1547bc72806ca9a29e05c911ae5ca7ea

SHA1
602a0e304d16fae9117af78611dac454fcd2d847

SHA256
12131697260b0ec21e482028f466f4845bbb756bc30aa53ae81be909183bb5a1

SHA512
2624608035446ece51fad079ac82d83f8a7a055b1e33e5bfc278f53bf0963f76bd6325dcb6dd848473581657908b244aebabaaba35198b389dc94b0da300cc3a

Download Submit
memory/828-131-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1108-122-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1108-120-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3188-125-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3208-118-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads