njrat | b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5

General

Target

b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe
Size

1.0MB
MD5

20917a3dd1b362aa03532d623fbb1622
SHA1

b8102145d3937c2ad99f03dd9ee8da4478b0a4a4
SHA256

b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5
SHA512

ce3a5d405be750e1706b8609b2fe391740af446205651f3a93fb5bf3f911ff83ae8af526f13fcefdde0c4a36873d4a04756b40779d1cb4525251aad0407175b8

Score

10^/10

njrat hack trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacK

C2

127.0.0.1:1234

Mutex

8a6179254fb2f1e73fe707c1a92f1876

Attributes

reg_key
8a6179254fb2f1e73fe707c1a92f1876
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe	Nirsoft
behavioral2/memory/5116-134-0x0000000000C70000-0x0000000000D6C000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

Server.exeProcess Modules DLL.exe

pid process

4404 Server.exe
5116 Process Modules DLL.exe

pid	process
4404	Server.exe
5116	Process Modules DLL.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4984 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4984 AUDIODG.EXE

description	pid	process
Token: 33	4984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4984	AUDIODG.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exeServer.exefondue.exe

description	pid	process	target process
PID 2644 wrote to memory of 4404	2644	b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe	Server.exe
PID 2644 wrote to memory of 4404	2644	b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe	Server.exe
PID 2644 wrote to memory of 4404	2644	b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe	Server.exe
PID 4404 wrote to memory of 5052	4404	Server.exe	fondue.exe
PID 4404 wrote to memory of 5052	4404	Server.exe	fondue.exe
PID 4404 wrote to memory of 5052	4404	Server.exe	fondue.exe
PID 2644 wrote to memory of 5116	2644	b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe	Process Modules DLL.exe
PID 2644 wrote to memory of 5116	2644	b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe	Process Modules DLL.exe
PID 5052 wrote to memory of 3544	5052	fondue.exe	FonDUE.EXE
PID 5052 wrote to memory of 3544	5052	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe
"C:\Users\Admin\AppData\Local\Temp\b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
"C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"
2⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
MD5
d27ba7e620a8c3a36b62d3a983d3fe61

SHA1
ac86faf6c358002254a032d4f7a9bdbef093c573

SHA256
3d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07

SHA512
e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
MD5
d27ba7e620a8c3a36b62d3a983d3fe61

SHA1
ac86faf6c358002254a032d4f7a9bdbef093c573

SHA256
3d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07

SHA512
e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
cd756c506aedc1507c79b7c81d51dfe0

SHA1
0428b30df265076b61499266050ecbb461b1ae95

SHA256
3a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff

SHA512
9fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062

Download Submit
memory/5116-134-0x0000000000C70000-0x0000000000D6C000-memory.dmp

Filesize
1008KB

Download
memory/5116-135-0x00007FFB177A0000-0x00007FFB18261000-memory.dmp

Filesize
10.8MB

Download
memory/5116-136-0x000000001CEF0000-0x000000001CEF2000-memory.dmp

Filesize
8KB

Download
memory/5116-137-0x000000001CEF3000-0x000000001CEF5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads