njrat | f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb

General

Target

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe
Size

170KB
MD5

32bcb3e725089e57c3a507f87b2a8dc1
SHA1

a8116e41e7b551c4b8b619fee5a79ed39a8d2e8f
SHA256

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb
SHA512

63f5079940b7205bebbc84914e8342d9018b830e27622cc3a70e1275acbb23c3c2fc81856955f932cbce812adc23ed38d665f57bb0287cbc47bca6e55e6a42da

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

trade hacker muaway.exesvshost.exe.exesvchost.exe

pid process

3716 trade hacker muaway.exe
752 svshost.exe
8 .exe
2912 svchost.exe
Drops file in Windows directory 2 IoCs

Processes:

.exe

description ioc process

File created C:\Windows\svchost.exe .exe
File opened for modification C:\Windows\svchost.exe .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe

pid process

2700 f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe

pid	process
3716	trade hacker muaway.exe
752	svshost.exe
8	.exe
2912	svchost.exe

description	ioc	process
File created	C:\Windows\svchost.exe	.exe
File opened for modification	C:\Windows\svchost.exe	.exe

pid	process
2700	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exesvshost.exe.exe

description	pid	process	target process
PID 2700 wrote to memory of 3716	2700	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	trade hacker muaway.exe
PID 2700 wrote to memory of 3716	2700	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	trade hacker muaway.exe
PID 2700 wrote to memory of 752	2700	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	svshost.exe
PID 2700 wrote to memory of 752	2700	f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe	svshost.exe
PID 752 wrote to memory of 8	752	svshost.exe	.exe
PID 752 wrote to memory of 8	752	svshost.exe	.exe
PID 752 wrote to memory of 8	752	svshost.exe	.exe
PID 8 wrote to memory of 2912	8	.exe	svchost.exe
PID 8 wrote to memory of 2912	8	.exe	svchost.exe
PID 8 wrote to memory of 2912	8	.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe
"C:\Users\Admin\AppData\Local\Temp\f9e1d6034641cb0a7499c761999a8ce0b94be591312114b20998b881df37e8fb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe
  "C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe"
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\svshost.exe
  "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

MD5
13942858263b74d0ee0ed9cc2342d420

SHA1
612b6afe600d0869105a601ca7c884538ace7798

SHA256
deb55200c5b7902be8d40457f3e16ad7ee66b3e331878d88c1ed20537b52e481

SHA512
3da7d861d634037b74856a1aad91f40c4bf4dd60945c72556d3be44d41086c47e0f7e3fd441c579faee3e44353dc8b3c96ba557838bcf76a71e6ea1f7870db22

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

MD5
13942858263b74d0ee0ed9cc2342d420

SHA1
612b6afe600d0869105a601ca7c884538ace7798

SHA256
deb55200c5b7902be8d40457f3e16ad7ee66b3e331878d88c1ed20537b52e481

SHA512
3da7d861d634037b74856a1aad91f40c4bf4dd60945c72556d3be44d41086c47e0f7e3fd441c579faee3e44353dc8b3c96ba557838bcf76a71e6ea1f7870db22

Download Submit
C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe

MD5
b101315b3665c9bec849f17e0a56f1f0

SHA1
cded1dca5855fc0e86caf0e94f143f7a659c2f19

SHA256
1371ef9e20b0d71fbb7c1e11994d5324a9f522cd0b22cc780149c05248365be3

SHA512
c6643405b4ea14f01100be9dd57e6ab6f1d6c73fed0fc6f1e82f021c8afb05cab81cb42ec6267f00955e5744614e4094c8c529c9df8497eadc43a1fbb17c3680

Download Submit
C:\Users\Admin\AppData\Local\Temp\trade hacker muaway.exe

MD5
b101315b3665c9bec849f17e0a56f1f0

SHA1
cded1dca5855fc0e86caf0e94f143f7a659c2f19

SHA256
1371ef9e20b0d71fbb7c1e11994d5324a9f522cd0b22cc780149c05248365be3

SHA512
c6643405b4ea14f01100be9dd57e6ab6f1d6c73fed0fc6f1e82f021c8afb05cab81cb42ec6267f00955e5744614e4094c8c529c9df8497eadc43a1fbb17c3680

Download Submit
C:\Windows\svchost.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
C:\Windows\svchost.exe

MD5
dc1269779211c13f66093aebad1ad503

SHA1
60f2dd2a8e12fceb11106f2bde6a407c651fe015

SHA256
4ff0372c5e01ebe8ae489ff2ef049d46befdf4e14b321548ac8e210a4cb60e52

SHA512
8f7d84446e1214c863dcad17f232668a5300c6cbb8304c45192c806612de1da99367ea355a20caa31c258c408c550f12842dee855fac01d808922fe5ef3f52b3

Download Submit
memory/8-130-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/752-125-0x0000000000B80000-0x0000000000B82000-memory.dmp

Filesize
8KB

Download
memory/3716-126-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download
memory/3716-131-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download
memory/3716-134-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing