njrat | febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5

General

Target

febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe
Size

3.5MB
MD5

fe8b2df29417a27881f4727c35aae61e
SHA1

1f9eccc08baa52fc5b91eee694bce443e08f2dd8
SHA256

febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5
SHA512

687452a1c9b69ed3fd6d8cc26e1fb7f0c2301b05f47e16e1983985a9def0fb1434352cb9b2d9f74cf0c89e469806aab17eb4b5b3f8e632fa1b04ff923444a31c

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

TempEgchatinstaller.exeTempEgchat.exeTempEgchatinstaller.tmpsystem.exe

pid process

868 TempEgchatinstaller.exe
288 TempEgchat.exe
636 TempEgchatinstaller.tmp
1960 system.exe
Drops startup file 1 IoCs

Processes:

TempEgchat.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk TempEgchat.exe
Loads dropped DLL 1 IoCs

Processes:

TempEgchatinstaller.exe

pid process

868 TempEgchatinstaller.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TempEgchatinstaller.tmp

pid process

636 TempEgchatinstaller.tmp

pid	process
868	TempEgchatinstaller.exe
288	TempEgchat.exe
636	TempEgchatinstaller.tmp
1960	system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk	TempEgchat.exe

pid	process
868	TempEgchatinstaller.exe

pid	process
636	TempEgchatinstaller.tmp

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exeTempEgchat.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe
Token: 33	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe
Token: SeIncBasePriorityPrivilege	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe
Token: SeDebugPrivilege	288	TempEgchat.exe
Token: 33	288	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	288	TempEgchat.exe
Token: 33	288	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	288	TempEgchat.exe
Token: 33	288	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	288	TempEgchat.exe
Token: SeDebugPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe
Token: 33	288	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	288	TempEgchat.exe
Token: 33	1960	system.exe
Token: SeIncBasePriorityPrivilege	1960	system.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

TempEgchat.exe

pid process

288 TempEgchat.exe
288 TempEgchat.exe

pid	process
288	TempEgchat.exe
288	TempEgchat.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exeTempEgchatinstaller.exeTempEgchat.exe

description	pid	process	target process
PID 1404 wrote to memory of 868	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchatinstaller.exe
PID 1404 wrote to memory of 868	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchatinstaller.exe
PID 1404 wrote to memory of 868	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchatinstaller.exe
PID 1404 wrote to memory of 868	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchatinstaller.exe
PID 1404 wrote to memory of 868	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchatinstaller.exe
PID 1404 wrote to memory of 868	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchatinstaller.exe
PID 1404 wrote to memory of 868	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchatinstaller.exe
PID 1404 wrote to memory of 288	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchat.exe
PID 1404 wrote to memory of 288	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchat.exe
PID 1404 wrote to memory of 288	1404	febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe	TempEgchat.exe
PID 868 wrote to memory of 636	868	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 868 wrote to memory of 636	868	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 868 wrote to memory of 636	868	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 868 wrote to memory of 636	868	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 868 wrote to memory of 636	868	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 868 wrote to memory of 636	868	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 868 wrote to memory of 636	868	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 288 wrote to memory of 1960	288	TempEgchat.exe	system.exe
PID 288 wrote to memory of 1960	288	TempEgchat.exe	system.exe
PID 288 wrote to memory of 1960	288	TempEgchat.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe
"C:\Users\Admin\AppData\Local\Temp\febaf8ae20e133e5b4fd503d7f5097bbabe0f8d4664a951a8630f2e929b916e5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
"C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\is-MD3AT.tmp\TempEgchatinstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MD3AT.tmp\TempEgchatinstaller.tmp" /SL5="$30108,4986466,68096,C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:636

C:\Users\Admin\AppData\Local\TempEgchat.exe
"C:\Users\Admin\AppData\Local\TempEgchat.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
eb6fa2af6084a0bfc804e92f166c677f

SHA1
b4e69189e1dc0e0716073e89828f26107f9f2809

SHA256
828353ef564506f41225e5c1056462659ab65ea5c82a3f484475b6b8449cb88b

SHA512
10b6afc5ea65ef1f26beaddc4a7265f990281d0511e8fc8994a37bcb8e3daf7c171be6da869b8d348147e7c25b1cd13bd8d8e3d4c115bded7ac7773a22d97515

Download Submit
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
eb6fa2af6084a0bfc804e92f166c677f

SHA1
b4e69189e1dc0e0716073e89828f26107f9f2809

SHA256
828353ef564506f41225e5c1056462659ab65ea5c82a3f484475b6b8449cb88b

SHA512
10b6afc5ea65ef1f26beaddc4a7265f990281d0511e8fc8994a37bcb8e3daf7c171be6da869b8d348147e7c25b1cd13bd8d8e3d4c115bded7ac7773a22d97515

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MD3AT.tmp\TempEgchatinstaller.tmp
MD5
e2580737dca2845220782c8f59777679

SHA1
9f9c60fbd5289afa2bc810f0470004c1260a4831

SHA256
258dc547d2883fb9f6c8fc934f3c9892bf253bd15133202444e265d4daf08362

SHA512
0a8ba4eeded11b1052623da36cf1322e9bf48a84759922fde926b6424b5355a9c75517b17421331fa69062d8ed029aab9819a91bbf1f37fa6745affffb007e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
\Users\Admin\AppData\Local\Temp\is-MD3AT.tmp\TempEgchatinstaller.tmp
MD5
e2580737dca2845220782c8f59777679

SHA1
9f9c60fbd5289afa2bc810f0470004c1260a4831

SHA256
258dc547d2883fb9f6c8fc934f3c9892bf253bd15133202444e265d4daf08362

SHA512
0a8ba4eeded11b1052623da36cf1322e9bf48a84759922fde926b6424b5355a9c75517b17421331fa69062d8ed029aab9819a91bbf1f37fa6745affffb007e3b

Download Submit
memory/288-70-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-72-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-78-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-60-0x000007FEF1F70000-0x000007FEF3006000-memory.dmp

Filesize
16.6MB

Download
memory/288-79-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-69-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-64-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-81-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-82-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-73-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-71-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-83-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/288-80-0x00000000002D0000-0x0000000000460000-memory.dmp

Filesize
1.6MB

Download
memory/636-68-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/868-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/868-59-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1404-54-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/1404-55-0x000007FEF21B0000-0x000007FEF3246000-memory.dmp

Filesize
16.6MB

Download
memory/1960-77-0x0000000002070000-0x0000000002072000-memory.dmp

Filesize
8KB

Download
memory/1960-76-0x000007FEF1F70000-0x000007FEF3006000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing