njrat | 68690afda547fc3ccd9a8ee7cfdc8421428736ce697d7d50dca6894dbd867a91

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b07fe4ec839f73e5d8c52c42409cfcad.exe
Size

794KB
MD5

b07fe4ec839f73e5d8c52c42409cfcad
SHA1

2a9fcb902902372ecaf480c1377f1267b03aaae1
SHA256

68690afda547fc3ccd9a8ee7cfdc8421428736ce697d7d50dca6894dbd867a91
SHA512

c8d586dcf192590967b5c935d9e54e0a154837149b95d3d9f6e7cd031481ee641ae4062ee5fa5a2c342b2f2c1d4c98ba3160a78522921218d47ed3e062cc64fb

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

AstarothSpammer.exeDiscord.exe

pid process

1248 AstarothSpammer.exe
660 Discord.exe

pid	process
1248	AstarothSpammer.exe
660	Discord.exe

Loads dropped DLL 8 IoCs

Processes:

b07fe4ec839f73e5d8c52c42409cfcad.exeWerFault.exe

pid	process
1664	b07fe4ec839f73e5d8c52c42409cfcad.exe
1664	b07fe4ec839f73e5d8c52c42409cfcad.exe
1664	b07fe4ec839f73e5d8c52c42409cfcad.exe
820	WerFault.exe
820	WerFault.exe
820	WerFault.exe
820	WerFault.exe
820	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

820 1248 WerFault.exe AstarothSpammer.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

820 WerFault.exe
820 WerFault.exe
820 WerFault.exe
820 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

820 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 820 WerFault.exe

pid	pid_target	process	target process
820	1248	WerFault.exe	AstarothSpammer.exe

pid	process
820	WerFault.exe
820	WerFault.exe
820	WerFault.exe
820	WerFault.exe

pid	process
820	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	820	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b07fe4ec839f73e5d8c52c42409cfcad.exeAstarothSpammer.exe

description	pid	process	target process
PID 1664 wrote to memory of 1248	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	AstarothSpammer.exe
PID 1664 wrote to memory of 1248	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	AstarothSpammer.exe
PID 1664 wrote to memory of 1248	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	AstarothSpammer.exe
PID 1664 wrote to memory of 1248	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	AstarothSpammer.exe
PID 1664 wrote to memory of 660	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	Discord.exe
PID 1664 wrote to memory of 660	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	Discord.exe
PID 1664 wrote to memory of 660	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	Discord.exe
PID 1664 wrote to memory of 660	1664	b07fe4ec839f73e5d8c52c42409cfcad.exe	Discord.exe
PID 1248 wrote to memory of 820	1248	AstarothSpammer.exe	WerFault.exe
PID 1248 wrote to memory of 820	1248	AstarothSpammer.exe	WerFault.exe
PID 1248 wrote to memory of 820	1248	AstarothSpammer.exe	WerFault.exe
PID 1248 wrote to memory of 820	1248	AstarothSpammer.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b07fe4ec839f73e5d8c52c42409cfcad.exe
"C:\Users\Admin\AppData\Local\Temp\b07fe4ec839f73e5d8c52c42409cfcad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Roaming\AstarothSpammer.exe
  "C:\Users\Admin\AppData\Roaming\AstarothSpammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 552
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Users\Admin\AppData\Roaming\Discord.exe
  "C:\Users\Admin\AppData\Roaming\Discord.exe"
  2⤵
  - Executes dropped EXE
  PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
C:\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
C:\Users\Admin\AppData\Roaming\Discord.exe

MD5
fa299ca0b7d19a5fd30836385a5b452a

SHA1
1519b65cdf2cef9fccf89af341ff31838648229f

SHA256
00b40ad7e9def3387b06ce49d4e078359737a6e87dc4bfd7c0f127a5700ee073

SHA512
3f2faef1d571ca8db8f0b060f4b082f88ed1b3f6f0b5034739eaaed5dbbb1aa9ce86d5548ed294e354d90db71a89b1d742fb1a22e94fc10bd5531fbd55317465

Download Submit
C:\Users\Admin\AppData\Roaming\Discord.exe

MD5
fa299ca0b7d19a5fd30836385a5b452a

SHA1
1519b65cdf2cef9fccf89af341ff31838648229f

SHA256
00b40ad7e9def3387b06ce49d4e078359737a6e87dc4bfd7c0f127a5700ee073

SHA512
3f2faef1d571ca8db8f0b060f4b082f88ed1b3f6f0b5034739eaaed5dbbb1aa9ce86d5548ed294e354d90db71a89b1d742fb1a22e94fc10bd5531fbd55317465

Download Submit
\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
\Users\Admin\AppData\Roaming\AstarothSpammer.exe

MD5
35521d550e39cd87ab50f0bbffc98492

SHA1
ae74000255fb3edc6ec597ce849777cf736046f0

SHA256
a263dfce21e66a3f98ae9b7e7f04cb3973ac0f1554bf07f2392cf189187d54ba

SHA512
6e456bd9de6a8e95347f47fc9490cda485777189ed476c673e8f22171ee6d5efa87f08a4cda11fd201d97e57df4128fa3ce6acc9b9b411a8836eb3be3dc4bd6b

Download Submit
\Users\Admin\AppData\Roaming\Discord.exe

MD5
fa299ca0b7d19a5fd30836385a5b452a

SHA1
1519b65cdf2cef9fccf89af341ff31838648229f

SHA256
00b40ad7e9def3387b06ce49d4e078359737a6e87dc4bfd7c0f127a5700ee073

SHA512
3f2faef1d571ca8db8f0b060f4b082f88ed1b3f6f0b5034739eaaed5dbbb1aa9ce86d5548ed294e354d90db71a89b1d742fb1a22e94fc10bd5531fbd55317465

Download Submit
\Users\Admin\AppData\Roaming\Discord.exe

MD5
fa299ca0b7d19a5fd30836385a5b452a

SHA1
1519b65cdf2cef9fccf89af341ff31838648229f

SHA256
00b40ad7e9def3387b06ce49d4e078359737a6e87dc4bfd7c0f127a5700ee073

SHA512
3f2faef1d571ca8db8f0b060f4b082f88ed1b3f6f0b5034739eaaed5dbbb1aa9ce86d5548ed294e354d90db71a89b1d742fb1a22e94fc10bd5531fbd55317465

Download Submit
memory/660-65-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/820-72-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1248-64-0x0000000000C50000-0x0000000000CEA000-memory.dmp

Filesize
616KB

Download
memory/1664-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1664-55-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download