njrat | 211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7

General

Target

211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe
Size

612KB
MD5

f414c142f690168170dc839b538fae62
SHA1

f1695b6b8b52c13148d2bca87269b9d11479f2c5
SHA256

211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7
SHA512

e7eb28451c72366c9d05421902ecccbc296c7173f2481b5c2a654fe967ffb6661ff23246cbe67698f788e9646a3880b3d29c1c7ed39ee7dc456c202f2e454e7c

Score

10^/10

njrat 1 trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

1

C2

127.0.0.1:6666

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Server.sfx.exeServer.exe

pid process

1884 Server.sfx.exe
436 Server.exe
Loads dropped DLL 3 IoCs

Processes:

Server.sfx.exe

pid process

1884 Server.sfx.exe
1884 Server.sfx.exe
1884 Server.sfx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Server.exe

pid process

436 Server.exe

pid	process
1884	Server.sfx.exe
436	Server.exe

pid	process
1884	Server.sfx.exe
1884	Server.sfx.exe
1884	Server.sfx.exe

pid	process
436	Server.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

Server.exe

description	pid	process
Token: SeDebugPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe
Token: 33	436	Server.exe
Token: SeIncBasePriorityPrivilege	436	Server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.execmd.exeServer.sfx.exe

description	pid	process	target process
PID 1836 wrote to memory of 528	1836	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe	cmd.exe
PID 1836 wrote to memory of 528	1836	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe	cmd.exe
PID 1836 wrote to memory of 528	1836	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe	cmd.exe
PID 1836 wrote to memory of 528	1836	211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe	cmd.exe
PID 528 wrote to memory of 1884	528	cmd.exe	Server.sfx.exe
PID 528 wrote to memory of 1884	528	cmd.exe	Server.sfx.exe
PID 528 wrote to memory of 1884	528	cmd.exe	Server.sfx.exe
PID 528 wrote to memory of 1884	528	cmd.exe	Server.sfx.exe
PID 1884 wrote to memory of 436	1884	Server.sfx.exe	Server.exe
PID 1884 wrote to memory of 436	1884	Server.sfx.exe	Server.exe
PID 1884 wrote to memory of 436	1884	Server.sfx.exe	Server.exe
PID 1884 wrote to memory of 436	1884	Server.sfx.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe
"C:\Users\Admin\AppData\Local\Temp\211be1147cc8c04fa90c052f43d408463d193821e7fad1f225efc0fb6fad73d7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\start.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Server.sfx.exe
Server.sfx -pSALkljltjlalljjljltylj745464yklsalskaLDKSALDLKa -dc:\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Server.sfx.exe
Filesize
311KB

MD5
5603d3a3fc564364bc50f3e8c8ee0871

SHA1
48abcc70a6658890561cc408ca07f6503bc0307b

SHA256
da5fb964922d3ac61001835ec547b4d9ccbbd53cdaceccfe1d90a7cae9425943

SHA512
359140f49616c982d595f44408f8fed69e60a56a2d9054a9111498a596d9ccc94de952f2db015d7c6ba3df78d0b6d07ba6279e8948f33fa25a9651de74a81d3b

Download Submit
C:\Server.sfx.exe
Filesize
311KB

MD5
5603d3a3fc564364bc50f3e8c8ee0871

SHA1
48abcc70a6658890561cc408ca07f6503bc0307b

SHA256
da5fb964922d3ac61001835ec547b4d9ccbbd53cdaceccfe1d90a7cae9425943

SHA512
359140f49616c982d595f44408f8fed69e60a56a2d9054a9111498a596d9ccc94de952f2db015d7c6ba3df78d0b6d07ba6279e8948f33fa25a9651de74a81d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
43KB

MD5
accc929bf090d9f48afb7d4a2d3ff189

SHA1
4038c4542c1a80c1502df1ed733409c85a340325

SHA256
014ebb55b87556b9401a0ed07d1ddec7e14fd8e2d2b7a1392e1b8f4088599c64

SHA512
2e4b24f433fc6ae85735286921efe30c03440edca3ba53ec6dd3b251b072ff23bf0d6d783b104cafe09a61810215fbbb6c8ae636db6d910c6ee0084436cd10d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
43KB

MD5
accc929bf090d9f48afb7d4a2d3ff189

SHA1
4038c4542c1a80c1502df1ed733409c85a340325

SHA256
014ebb55b87556b9401a0ed07d1ddec7e14fd8e2d2b7a1392e1b8f4088599c64

SHA512
2e4b24f433fc6ae85735286921efe30c03440edca3ba53ec6dd3b251b072ff23bf0d6d783b104cafe09a61810215fbbb6c8ae636db6d910c6ee0084436cd10d0

Download Submit
C:\start.bat
Filesize
79B

MD5
02b93d7386a2aab2ebad3ab046ad135c

SHA1
5b9d035881267a963f5ea51c22f94ac508251e1c

SHA256
eed18e4fdbedd043805b3ceea7e4e07a86ee6ad4b31fc9ef58baa187a3d5b991

SHA512
fe803a41d9ef51c2cf2b3fbaef8e8fff48120ce09e92003690dfbb5bbd215aff39af5d4875d6637852a8344c244de9b29b51ce5487e4122a44636c560113bfa2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
43KB

MD5
accc929bf090d9f48afb7d4a2d3ff189

SHA1
4038c4542c1a80c1502df1ed733409c85a340325

SHA256
014ebb55b87556b9401a0ed07d1ddec7e14fd8e2d2b7a1392e1b8f4088599c64

SHA512
2e4b24f433fc6ae85735286921efe30c03440edca3ba53ec6dd3b251b072ff23bf0d6d783b104cafe09a61810215fbbb6c8ae636db6d910c6ee0084436cd10d0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
43KB

MD5
accc929bf090d9f48afb7d4a2d3ff189

SHA1
4038c4542c1a80c1502df1ed733409c85a340325

SHA256
014ebb55b87556b9401a0ed07d1ddec7e14fd8e2d2b7a1392e1b8f4088599c64

SHA512
2e4b24f433fc6ae85735286921efe30c03440edca3ba53ec6dd3b251b072ff23bf0d6d783b104cafe09a61810215fbbb6c8ae636db6d910c6ee0084436cd10d0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
Filesize
43KB

MD5
accc929bf090d9f48afb7d4a2d3ff189

SHA1
4038c4542c1a80c1502df1ed733409c85a340325

SHA256
014ebb55b87556b9401a0ed07d1ddec7e14fd8e2d2b7a1392e1b8f4088599c64

SHA512
2e4b24f433fc6ae85735286921efe30c03440edca3ba53ec6dd3b251b072ff23bf0d6d783b104cafe09a61810215fbbb6c8ae636db6d910c6ee0084436cd10d0

Download Submit
memory/436-64-0x0000000000000000-mapping.dmp

Download
memory/436-67-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/528-55-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1884-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing