njrat | dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

General

Target

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Size

396KB
MD5

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1

dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256

dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA512

1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Score

10^/10

njrat hacked persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

104.243.35.208:4004

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

Payload.exePayload.exe

pid process

1560 Payload.exe
1372 Payload.exe

pid	process
1560	Payload.exe
1372	Payload.exe

Drops startup file 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Loads dropped DLL 1 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

pid process

956 5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

pid	process
956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 868 set thread context of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 1560 set thread context of 1372	1560	Payload.exe	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payload.exe

description pid process

Token: SeDebugPrivilege 1372 Payload.exe
Token: 33 1372 Payload.exe
Token: SeIncBasePriorityPrivilege 1372 Payload.exe

description	pid	process
Token: SeDebugPrivilege	1372	Payload.exe
Token: 33	1372	Payload.exe
Token: SeIncBasePriorityPrivilege	1372	Payload.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 868 wrote to memory of 956	868	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 956 wrote to memory of 1560	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 956 wrote to memory of 1560	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 956 wrote to memory of 1560	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 956 wrote to memory of 1560	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 956 wrote to memory of 1708	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 956 wrote to memory of 1708	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 956 wrote to memory of 1708	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 956 wrote to memory of 1708	956	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe
PID 1560 wrote to memory of 1372	1560	Payload.exe	Payload.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1708 attrib.exe

pid	process
1708	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Views/modifies file attributes
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
55d448ccd249a3192ba1c5b8639a60d4

SHA1
7161b3bf3e8dd3fa8eee9d20ecaef52765527574

SHA256
21a49777f17cb7ccc9b66dee08de46822d122f5b6e9fe1c37484b3b0b2959357

SHA512
712d0cc57bb5ae3af3b7b85a94beb6c5e89c39df293b9b7a6c5b3123f834724806a31b5c4ab3c70ad0bb276247aaead491af3fcf5b51fa6e795fa3587ea57b33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1018B

MD5
398c1a0398faf422bcb039f638ab4758

SHA1
18e57f6c4644b8089cdac84cae7d88c18c572a11

SHA256
c9979bf6a52fdd7bb18c680f730037bdbe59ab2db0a9d2f588e2aecf748854f4

SHA512
98c9438c75f6e48a22beafb595241e65930a9555cebf50be79389a77c197e303e9a6c1ed6b48b579555fc9826c6b689a0b340bf967e333af7976650e9ff5e4af

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
memory/868-54-0x0000000000D90000-0x0000000000DF8000-memory.dmp

Filesize
416KB

Download
memory/868-55-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/868-56-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/868-57-0x0000000000A90000-0x0000000000AE2000-memory.dmp

Filesize
328KB

Download
memory/868-58-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/868-59-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/956-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/956-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/956-66-0x000000000040837E-mapping.dmp

Download
memory/956-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/956-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/956-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/956-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/956-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1372-85-0x000000000040837E-mapping.dmp

Download
memory/1560-73-0x0000000000000000-mapping.dmp

Download
memory/1560-77-0x0000000000D70000-0x0000000000DD8000-memory.dmp

Filesize
416KB

Download
memory/1708-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads