njrat | a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d

General

Target

a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe
Size

93KB
MD5

acc1465e2be291e70935abc7cf4bd21c
SHA1

f9ddf1b9d275e9b17fed8057eedddda15fef4a4a
SHA256

a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d
SHA512

9173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213

Score

10^/10

njrat hacker evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKer

C2

FRANSESCOjUuFRANSESCOjkuFRANSESCOTFRANSESCOyLjEwNAStrikStrik:MTYwNA==

Mutex

43eaed72e15ff576accb4dc56c41f93d

Attributes

reg_key
43eaed72e15ff576accb4dc56c41f93d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

896 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\43eaed72e15ff576accb4dc56c41f93dWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\43eaed72e15ff576accb4dc56c41f93dWindows Update.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe

pid	process
1156	a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe
1156	a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe
896	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

896 server.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe
Token: 33	896	server.exe
Token: SeIncBasePriorityPrivilege	896	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exeserver.exe

description	pid	process	target process
PID 1156 wrote to memory of 896	1156	a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe	server.exe
PID 1156 wrote to memory of 896	1156	a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe	server.exe
PID 1156 wrote to memory of 896	1156	a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe	server.exe
PID 1156 wrote to memory of 896	1156	a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe	server.exe
PID 896 wrote to memory of 1284	896	server.exe	netsh.exe
PID 896 wrote to memory of 1284	896	server.exe	netsh.exe
PID 896 wrote to memory of 1284	896	server.exe	netsh.exe
PID 896 wrote to memory of 1284	896	server.exe	netsh.exe
PID 896 wrote to memory of 304	896	server.exe	netsh.exe
PID 896 wrote to memory of 304	896	server.exe	netsh.exe
PID 896 wrote to memory of 304	896	server.exe	netsh.exe
PID 896 wrote to memory of 304	896	server.exe	netsh.exe
PID 896 wrote to memory of 916	896	server.exe	netsh.exe
PID 896 wrote to memory of 916	896	server.exe	netsh.exe
PID 896 wrote to memory of 916	896	server.exe	netsh.exe
PID 896 wrote to memory of 916	896	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe
"C:\Users\Admin\AppData\Local\Temp\a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:1284

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
PID:304

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
acc1465e2be291e70935abc7cf4bd21c

SHA1
f9ddf1b9d275e9b17fed8057eedddda15fef4a4a

SHA256
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d

SHA512
9173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
acc1465e2be291e70935abc7cf4bd21c

SHA1
f9ddf1b9d275e9b17fed8057eedddda15fef4a4a

SHA256
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d

SHA512
9173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
5fa01e3399c29de16299d5f4ac743fb2

SHA1
04e29a03c4a56cf097701f34d6d2999b93035327

SHA256
6918b0e9f3af6051db0828a0ec9b353222b84164dab5ed3c85310eefce166223

SHA512
5492642165fb12e782f71ba84e8a673ecc047a8a8b3f2f59b64fa8200212326d36ed576fd119ffd0134f1daa03d14069ead81f0e29c2d59de10cdf4bbf2dc90c

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
acc1465e2be291e70935abc7cf4bd21c

SHA1
f9ddf1b9d275e9b17fed8057eedddda15fef4a4a

SHA256
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d

SHA512
9173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
acc1465e2be291e70935abc7cf4bd21c

SHA1
f9ddf1b9d275e9b17fed8057eedddda15fef4a4a

SHA256
a56b590f350305bacd33b60e5c866c5ad9fb6a318ea8d9afe5149c1a49171d6d

SHA512
9173864524173d00839dd518766136537ec82ae2637b6c2fe16788eaba72068fe08dfcbb4e15d9de0c6aa8f2bb1aa025ba2902fe8e7acb8eaad5bed39429f213

Download Submit
memory/304-66-0x0000000000000000-mapping.dmp

Download
memory/896-58-0x0000000000000000-mapping.dmp

Download
memory/896-62-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/916-67-0x0000000000000000-mapping.dmp

Download
memory/1156-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1156-55-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads