njrat | 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68

General

Target

0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Size

43KB
MD5

c54e7c59801c9511c895bdaf7785606f
SHA1

cab96e75aae14048b13a6329013d719bc0b8a7dc
SHA256

0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68
SHA512

196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

109.252.122.56:1601

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Server.exeServer.exe

pid process

580 Server.exe
1492 Server.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1440 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe

pid process

2024 0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe

pid	process
580	Server.exe
1492	Server.exe

pid	process
1440	schtasks.exe

pid	process
2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe

description	pid	process
Token: SeDebugPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: 33	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
Token: SeIncBasePriorityPrivilege	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exetaskeng.exe

description	pid	process	target process
PID 2024 wrote to memory of 1440	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe	schtasks.exe
PID 2024 wrote to memory of 1440	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe	schtasks.exe
PID 2024 wrote to memory of 1440	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe	schtasks.exe
PID 2024 wrote to memory of 1440	2024	0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe	schtasks.exe
PID 1000 wrote to memory of 580	1000	taskeng.exe	Server.exe
PID 1000 wrote to memory of 580	1000	taskeng.exe	Server.exe
PID 1000 wrote to memory of 580	1000	taskeng.exe	Server.exe
PID 1000 wrote to memory of 580	1000	taskeng.exe	Server.exe
PID 1000 wrote to memory of 1492	1000	taskeng.exe	Server.exe
PID 1000 wrote to memory of 1492	1000	taskeng.exe	Server.exe
PID 1000 wrote to memory of 1492	1000	taskeng.exe	Server.exe
PID 1000 wrote to memory of 1492	1000	taskeng.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe
"C:\Users\Admin\AppData\Local\Temp\0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\taskeng.exe
taskeng.exe {72DE8DF7-F9A7-4E8F-B795-C0B593225DD9} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
c54e7c59801c9511c895bdaf7785606f

SHA1
cab96e75aae14048b13a6329013d719bc0b8a7dc

SHA256
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68

SHA512
196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
c54e7c59801c9511c895bdaf7785606f

SHA1
cab96e75aae14048b13a6329013d719bc0b8a7dc

SHA256
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68

SHA512
196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
c54e7c59801c9511c895bdaf7785606f

SHA1
cab96e75aae14048b13a6329013d719bc0b8a7dc

SHA256
0159c78686a3a0c7b02877262c853c3f0f1692d5eecad2749ab08e3c4e734f68

SHA512
196ffad44fdb6330867d6731c36dc2aa326cb056099744ad0e2b496a6c2c6050a19acdb4838616daa3cd2a0702c66a505c09dd56456120a209a050c6d6ca9f33

Download Submit
memory/580-58-0x0000000000000000-mapping.dmp

Download
memory/580-60-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/1440-55-0x0000000000000000-mapping.dmp

Download
memory/1492-61-0x0000000000000000-mapping.dmp

Download
memory/1492-63-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/2024-54-0x00000000013C0000-0x00000000013D2000-memory.dmp

Filesize
72KB

Download
memory/2024-56-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads