njrat | 8a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436

General

Target

8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe
Size

43KB
MD5

3b55809e2326045149325b153cbeef00
SHA1

0df1e0201205eba38ace968587ee43421e902857
SHA256

8a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436
SHA512

38cf449b20dccec6c78d0cbeb3f5a8868b7e5cb9f0a7175473c4cf137187a937c74df7852d7aebb8dde51151bae07036023af1bfc3b4f45487d96719f015b26e

Score

10^/10

njrat topher persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

topher

C2

eses46.noip.me:1605

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

Dllhost.exe

pid process

3656 Dllhost.exe

pid	process
3656	Dllhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe

Drops startup file 2 IoCs

Processes:

Dllhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .."	Dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exeDllhost.exe

pid process

4068 8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe
3656 Dllhost.exe

pid	process
4068	8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe
3656	Dllhost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Dllhost.exe

description	pid	process
Token: SeDebugPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe
Token: 33	3656	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3656	Dllhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe

description	pid	process	target process
PID 4068 wrote to memory of 3656	4068	8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe	Dllhost.exe
PID 4068 wrote to memory of 3656	4068	8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe	Dllhost.exe
PID 4068 wrote to memory of 3656	4068	8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe	Dllhost.exe

C:\Users\Admin\AppData\Local\Temp\8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe
"C:\Users\Admin\AppData\Local\Temp\8A8C9E7B5E9ED6E2C7D66DC768A8702073263730FACC8.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
Filesize
43KB

MD5
3b55809e2326045149325b153cbeef00

SHA1
0df1e0201205eba38ace968587ee43421e902857

SHA256
8a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436

SHA512
38cf449b20dccec6c78d0cbeb3f5a8868b7e5cb9f0a7175473c4cf137187a937c74df7852d7aebb8dde51151bae07036023af1bfc3b4f45487d96719f015b26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
Filesize
43KB

MD5
3b55809e2326045149325b153cbeef00

SHA1
0df1e0201205eba38ace968587ee43421e902857

SHA256
8a8c9e7b5e9ed6e2c7d66dc768a8702073263730facc85095919727220e2a436

SHA512
38cf449b20dccec6c78d0cbeb3f5a8868b7e5cb9f0a7175473c4cf137187a937c74df7852d7aebb8dde51151bae07036023af1bfc3b4f45487d96719f015b26e

Download Submit
memory/3656-131-0x0000000000000000-mapping.dmp

Download
memory/3656-134-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-130-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads