njrat | dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

General

Target

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Size

396KB
MD5

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1

dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256

dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA512

1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Score

10^/10

njrat hacked persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

104.243.35.208:4004

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

Payload.exePayload.exe

pid process

4564 Payload.exe
4372 Payload.exe

pid	process
4564	Payload.exe
4372	Payload.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Drops startup file 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 3860 set thread context of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4564 set thread context of 4372	4564	Payload.exe	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	4372	Payload.exe
Token: 33	4372	Payload.exe
Token: SeIncBasePriorityPrivilege	4372	Payload.exe
Token: 33	4372	Payload.exe
Token: SeIncBasePriorityPrivilege	4372	Payload.exe
Token: 33	4372	Payload.exe
Token: SeIncBasePriorityPrivilege	4372	Payload.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3860 wrote to memory of 5108	3860	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 5108 wrote to memory of 4564	5108	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 5108 wrote to memory of 4564	5108	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 5108 wrote to memory of 4564	5108	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 5108 wrote to memory of 4688	5108	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 5108 wrote to memory of 4688	5108	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 5108 wrote to memory of 4688	5108	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe
PID 4564 wrote to memory of 4372	4564	Payload.exe	Payload.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4688 attrib.exe

pid	process
4688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Views/modifies file attributes
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe.log
Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.log
Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
6e40fd9c5dcab36e3992e4b93d33eb41

SHA1
1f881c6d2bce7abd64792f33eb794d4cbb45db51

SHA256
362357840c393e579fc3dfee8e7320dbc021b91a8569a154ed8215f766e770e8

SHA512
ad07924bbed90081cc6cfd8e6cd1f9facbbc43a6103e61782a031fc8e6184041d55c27d30b87719710e05f947a6dccd6b359183c28a9d85b5151a15c80a6754e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
fff48f321a30adc783ab67544d8112b0

SHA1
7beda576a0bad9c1305bbd1f56f135f1cf66231d

SHA256
c603cde38152408c51911b322c482410392a4e79fd3cafb93d9f00867e3054cf

SHA512
3d9e383c1ff193cd89fc8af55dc2e7df05d6b6948b238296995da4cefa6265d283070cd3721825baab16239e90b8422f9522569910c321d7ca64aec137c0e557

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
memory/3860-135-0x0000000008690000-0x00000000086F6000-memory.dmp

Filesize
408KB

Download
memory/3860-134-0x0000000008580000-0x000000000861C000-memory.dmp

Filesize
624KB

Download
memory/3860-130-0x0000000000350000-0x00000000003B8000-memory.dmp

Filesize
416KB

Download
memory/3860-133-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/3860-132-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/3860-131-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/4372-143-0x0000000000000000-mapping.dmp

Download
memory/4564-139-0x0000000000000000-mapping.dmp

Download
memory/4688-142-0x0000000000000000-mapping.dmp

Download
memory/5108-136-0x0000000000000000-mapping.dmp

Download
memory/5108-137-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads