njrat | c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a

General

Target

c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe
Size

3.5MB
MD5

de7cfef57b848a8d7f0a1d4828d6f1ed
SHA1

baf8597d52222329b24ed7ae72262ad5f383e61b
SHA256

c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a
SHA512

6d4f761ac1f7c4a9e7384bd866333e1845ba3998f34e294fea8934e3e7106f82ec5bd9f7798c56c2cb22422242adbadeecd92c9f51cac478ee608e6b3c1b96cf

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

TempEgchatinstaller.exeTempEgchat.exeTempEgchatinstaller.tmpsystem.exe

pid process

656 TempEgchatinstaller.exe
436 TempEgchat.exe
960 TempEgchatinstaller.tmp
1956 system.exe
Drops startup file 1 IoCs

Processes:

TempEgchat.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk TempEgchat.exe
Loads dropped DLL 1 IoCs

Processes:

TempEgchatinstaller.exe

pid process

656 TempEgchatinstaller.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TempEgchatinstaller.tmp

pid process

960 TempEgchatinstaller.tmp

pid	process
656	TempEgchatinstaller.exe
436	TempEgchat.exe
960	TempEgchatinstaller.tmp
1956	system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysystem.lnk	TempEgchat.exe

pid	process
656	TempEgchatinstaller.exe

pid	process
960	TempEgchatinstaller.tmp

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exeTempEgchat.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe
Token: 33	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe
Token: SeIncBasePriorityPrivilege	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe
Token: SeDebugPrivilege	436	TempEgchat.exe
Token: 33	436	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	436	TempEgchat.exe
Token: 33	436	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	436	TempEgchat.exe
Token: 33	436	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	436	TempEgchat.exe
Token: SeDebugPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	1956	system.exe
Token: SeIncBasePriorityPrivilege	1956	system.exe
Token: 33	436	TempEgchat.exe
Token: SeIncBasePriorityPrivilege	436	TempEgchat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

TempEgchat.exe

pid process

436 TempEgchat.exe
436 TempEgchat.exe

pid	process
436	TempEgchat.exe
436	TempEgchat.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exeTempEgchatinstaller.exeTempEgchat.exe

description	pid	process	target process
PID 1672 wrote to memory of 656	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchatinstaller.exe
PID 1672 wrote to memory of 656	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchatinstaller.exe
PID 1672 wrote to memory of 656	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchatinstaller.exe
PID 1672 wrote to memory of 656	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchatinstaller.exe
PID 1672 wrote to memory of 656	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchatinstaller.exe
PID 1672 wrote to memory of 656	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchatinstaller.exe
PID 1672 wrote to memory of 656	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchatinstaller.exe
PID 1672 wrote to memory of 436	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchat.exe
PID 1672 wrote to memory of 436	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchat.exe
PID 1672 wrote to memory of 436	1672	c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe	TempEgchat.exe
PID 656 wrote to memory of 960	656	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 656 wrote to memory of 960	656	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 656 wrote to memory of 960	656	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 656 wrote to memory of 960	656	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 656 wrote to memory of 960	656	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 656 wrote to memory of 960	656	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 656 wrote to memory of 960	656	TempEgchatinstaller.exe	TempEgchatinstaller.tmp
PID 436 wrote to memory of 1956	436	TempEgchat.exe	system.exe
PID 436 wrote to memory of 1956	436	TempEgchat.exe	system.exe
PID 436 wrote to memory of 1956	436	TempEgchat.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe
"C:\Users\Admin\AppData\Local\Temp\c88b3b1eb6d7d4b7b386ac6fead82c5b1ffb6e8ec7f40fd4961721b58a19ea6a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
"C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\is-RULJ0.tmp\TempEgchatinstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RULJ0.tmp\TempEgchatinstaller.tmp" /SL5="$40120,4986466,68096,C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:960

C:\Users\Admin\AppData\Local\TempEgchat.exe
"C:\Users\Admin\AppData\Local\TempEgchat.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchat.exe
MD5
acf5abe9f9a399a73736f0cbf2e19f4e

SHA1
3f165e2b44ceaad50da8745374c57b500525b2de

SHA256
130a75085b8e38c0b0e3e95b74d08daca3e939506093f497206a8c250c0576fc

SHA512
9154073672b45db52a856eda3d9f43c9591f3d00633fc27ef526249d2679f2cc9c38a1d5b95ac8b375ff7ca7ac531281b084a31405a77d09047302337df4aadd

Download Submit
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
eb6fa2af6084a0bfc804e92f166c677f

SHA1
b4e69189e1dc0e0716073e89828f26107f9f2809

SHA256
828353ef564506f41225e5c1056462659ab65ea5c82a3f484475b6b8449cb88b

SHA512
10b6afc5ea65ef1f26beaddc4a7265f990281d0511e8fc8994a37bcb8e3daf7c171be6da869b8d348147e7c25b1cd13bd8d8e3d4c115bded7ac7773a22d97515

Download Submit
C:\Users\Admin\AppData\Local\TempEgchatinstaller.exe
MD5
eb6fa2af6084a0bfc804e92f166c677f

SHA1
b4e69189e1dc0e0716073e89828f26107f9f2809

SHA256
828353ef564506f41225e5c1056462659ab65ea5c82a3f484475b6b8449cb88b

SHA512
10b6afc5ea65ef1f26beaddc4a7265f990281d0511e8fc8994a37bcb8e3daf7c171be6da869b8d348147e7c25b1cd13bd8d8e3d4c115bded7ac7773a22d97515

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RULJ0.tmp\TempEgchatinstaller.tmp
MD5
e2580737dca2845220782c8f59777679

SHA1
9f9c60fbd5289afa2bc810f0470004c1260a4831

SHA256
258dc547d2883fb9f6c8fc934f3c9892bf253bd15133202444e265d4daf08362

SHA512
0a8ba4eeded11b1052623da36cf1322e9bf48a84759922fde926b6424b5355a9c75517b17421331fa69062d8ed029aab9819a91bbf1f37fa6745affffb007e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
233c3f4734867b89f5de8679d1217c40

SHA1
f1c98bfe9537b32c9d4ca1ebfc304cb9e2aab3a2

SHA256
7af598d30c386d9cd170463b6340142809feb3d3109943f0fb7b60a0651ee282

SHA512
d267c022c73e7e8ec5ae0dee0837a7fceb2ddfe1d895563a2c6a6d22bc62a87e4cc7e1ec648b4689fe842679213f0f82328b3a623a6e79aef9832dbfb1cc0379

Download Submit
\Users\Admin\AppData\Local\Temp\is-RULJ0.tmp\TempEgchatinstaller.tmp
MD5
e2580737dca2845220782c8f59777679

SHA1
9f9c60fbd5289afa2bc810f0470004c1260a4831

SHA256
258dc547d2883fb9f6c8fc934f3c9892bf253bd15133202444e265d4daf08362

SHA512
0a8ba4eeded11b1052623da36cf1322e9bf48a84759922fde926b6424b5355a9c75517b17421331fa69062d8ed029aab9819a91bbf1f37fa6745affffb007e3b

Download Submit
memory/436-72-0x0000000001FD5000-0x0000000001FD6000-memory.dmp

Filesize
4KB

Download
memory/436-75-0x0000000001FD8000-0x0000000001FD9000-memory.dmp

Filesize
4KB

Download
memory/436-63-0x000007FEF2BA0000-0x000007FEF3C36000-memory.dmp

Filesize
16.6MB

Download
memory/436-62-0x0000000001FB0000-0x0000000001FB2000-memory.dmp

Filesize
8KB

Download
memory/436-81-0x0000000001FE3000-0x0000000001FE4000-memory.dmp

Filesize
4KB

Download
memory/436-80-0x0000000001FE1000-0x0000000001FE3000-memory.dmp

Filesize
8KB

Download
memory/436-83-0x0000000001FE6000-0x0000000001FE7000-memory.dmp

Filesize
4KB

Download
memory/436-71-0x0000000001FB6000-0x0000000001FD5000-memory.dmp

Filesize
124KB

Download
memory/436-73-0x0000000001FD6000-0x0000000001FD7000-memory.dmp

Filesize
4KB

Download
memory/436-74-0x0000000001FD7000-0x0000000001FD8000-memory.dmp

Filesize
4KB

Download
memory/436-82-0x0000000001FE5000-0x0000000001FE6000-memory.dmp

Filesize
4KB

Download
memory/436-84-0x0000000001FE7000-0x0000000001FE8000-memory.dmp

Filesize
4KB

Download
memory/436-85-0x0000000001FE8000-0x0000000001FE9000-memory.dmp

Filesize
4KB

Download
memory/656-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/656-59-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/960-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1672-55-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x000007FEF2DE0000-0x000007FEF3E76000-memory.dmp

Filesize
16.6MB

Download
memory/1672-57-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

Filesize
8KB

Download
memory/1956-79-0x0000000000310000-0x0000000000580000-memory.dmp

Filesize
2.4MB

Download
memory/1956-78-0x000007FEF2BA0000-0x000007FEF3C36000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing