njrat | ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20

General

Target

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe
Size

229KB
MD5

7d276dfb51b873aa1fa8d512a961b8e7
SHA1

0070198c1e94602fdc435a5933990861e9d7836c
SHA256

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20
SHA512

11f360bbe72a90c9364fb4f9d8d8659bb82d18745077cb85b08b158bbdabc05735f0b38a4710c42759d2bca23cbbebd0e77159228f8754ac7553ef1ccc05327e

Score

10^/10

njrat system trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

urbanhuman123.duckdns.org:3131

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Tempwinlogon.exe

pid process

1384 Tempwinlogon.exe

pid	process
1384	Tempwinlogon.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exewscript.exeTempwinlogon.exefondue.exe

description	pid	process	target process
PID 3096 wrote to memory of 5112	3096	ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe	wscript.exe
PID 3096 wrote to memory of 5112	3096	ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe	wscript.exe
PID 5112 wrote to memory of 1384	5112	wscript.exe	Tempwinlogon.exe
PID 5112 wrote to memory of 1384	5112	wscript.exe	Tempwinlogon.exe
PID 5112 wrote to memory of 1384	5112	wscript.exe	Tempwinlogon.exe
PID 1384 wrote to memory of 3496	1384	Tempwinlogon.exe	fondue.exe
PID 1384 wrote to memory of 3496	1384	Tempwinlogon.exe	fondue.exe
PID 1384 wrote to memory of 3496	1384	Tempwinlogon.exe	fondue.exe
PID 3496 wrote to memory of 2556	3496	fondue.exe	FonDUE.EXE
PID 3496 wrote to memory of 2556	3496	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe
"C:\Users\Admin\AppData\Local\Temp\ed2483ea2768ee40839a832f2e2771ea56c476a3622687e7b476aabb59f65d20.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9160.tmp\9161.tmp\9162.vbs //Nologo
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:2556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9160.tmp\9161.tmp\9162.vbs
Filesize
175KB

MD5
f9a5ce69bedccc0300a55805c53d5298

SHA1
667b32641419b4d11deb03601fd6ac460fa61b70

SHA256
e3dff2b35df20d4cc148d246bd9cef6848e37e768f55156de4e5eb40f82a9cab

SHA512
530c86fee6cba3f4e3b390c8bed345dd11f2c1f10c5d51ed7de16bc90f90d85f887f99c8a6623ffd9e0c78fca38052994e7bbe2b068422c846228888ffbcd78b

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
43KB

MD5
01cd1273407dc0ac4979fcb85fd7c1b2

SHA1
2c6e2a2ffbe0c98cf378396f41059fb8f40afbed

SHA256
80e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc

SHA512
b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640

Download Submit
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
Filesize
43KB

MD5
01cd1273407dc0ac4979fcb85fd7c1b2

SHA1
2c6e2a2ffbe0c98cf378396f41059fb8f40afbed

SHA256
80e24cd9cc94e7d896e564373a3145ea1dbb3252d5249b89a8d17470776edadc

SHA512
b39e83caddb954a9f05cb14ecb5d813336fd5cb477aab91194f8fd631f6af274c3c17705d5fb38e4cf2c7c9096868661a294b46b3557292de4d92ece6251d640

Download Submit
memory/1384-135-0x0000000000000000-mapping.dmp

Download
memory/2556-139-0x0000000000000000-mapping.dmp

Download
memory/3496-138-0x0000000000000000-mapping.dmp

Download
memory/5112-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing