njrat | dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

General

Target

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
Size

396KB
MD5

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f
SHA1

dd539b2dae5964501c364bf932ce8e9f9dc500af
SHA256

dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3
SHA512

1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Score

10^/10

njrat hacked persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

104.243.35.208:4004

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

Payload.exePayload.exe

pid process

448 Payload.exe
4796 Payload.exe

pid	process
448	Payload.exe
4796	Payload.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Drops startup file 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 4100 set thread context of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 448 set thread context of 4796	448	Payload.exe	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	4796	Payload.exe
Token: 33	4796	Payload.exe
Token: SeIncBasePriorityPrivilege	4796	Payload.exe
Token: 33	4796	Payload.exe
Token: SeIncBasePriorityPrivilege	4796	Payload.exe
Token: 33	4796	Payload.exe
Token: SeIncBasePriorityPrivilege	4796	Payload.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exePayload.exe

description	pid	process	target process
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 4100 wrote to memory of 3736	4100	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
PID 3736 wrote to memory of 448	3736	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 3736 wrote to memory of 448	3736	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 3736 wrote to memory of 448	3736	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	Payload.exe
PID 3736 wrote to memory of 4128	3736	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 3736 wrote to memory of 4128	3736	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 3736 wrote to memory of 4128	3736	5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe	attrib.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe
PID 448 wrote to memory of 4796	448	Payload.exe	Payload.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4128 attrib.exe

pid	process
4128	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe
"C:\Users\Admin\AppData\Local\Temp\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:448

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Views/modifies file attributes
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5b0e04c4f91d5aaac3ee3ce0eb2a1c6f.exe.log
Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.log
Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
410ae6573a57f8905a61a761ba8a4bf7

SHA1
05f7ac4fbb3b28620c2d1e3bdf720dfc0dfc49c9

SHA256
e42e80a74d27dc83abfba9279eec985235c2c38635fb581eff53920868bdb1fc

SHA512
3051abccb8d94dfb95a16a8f935463a8a320a55d854f5482a124e64768d0dfee01e23cb7401a9f15063219a015101263cc738e8b72122f7256b2d1cfb9030438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
88186e2545bd518b1e115b85887ae39f

SHA1
1251bf62f316af94da94c16b37fc7fa03c3c212d

SHA256
b80c05ac61f81322b55b0b4519042a0c5b160a076ead78b43d59d28386314c6d

SHA512
11ab6eef239e777ed25fdd8b919e25faf24049aac23c3fd3cc1bb04de095d4204897eab3cc603144bbf23866a93ec407ee74827abf098ca819ce8f4e57121974

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
396KB

MD5
5b0e04c4f91d5aaac3ee3ce0eb2a1c6f

SHA1
dd539b2dae5964501c364bf932ce8e9f9dc500af

SHA256
dbc7c72ec05fae8f586a80826e6929cb26ec2fab3623620bb3edaea0139385a3

SHA512
1ee3527a2ad3c7b6f393097ad60742ba3dfb14758feaf01188662a091c91f914390761fdb5751e1cbdb201d21cc1a086d09a7326d140a58d196266c458a2ea18

Download Submit
memory/448-139-0x0000000000000000-mapping.dmp

Download
memory/3736-137-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3736-136-0x0000000000000000-mapping.dmp

Download
memory/4100-135-0x0000000008850000-0x00000000088B6000-memory.dmp

Filesize
408KB

Download
memory/4100-130-0x0000000000510000-0x0000000000578000-memory.dmp

Filesize
416KB

Download
memory/4100-134-0x00000000086E0000-0x000000000877C000-memory.dmp

Filesize
624KB

Download
memory/4100-133-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/4100-132-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/4100-131-0x0000000005530000-0x0000000005AD4000-memory.dmp

Filesize
5.6MB

Download
memory/4128-142-0x0000000000000000-mapping.dmp

Download
memory/4796-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads