njrat | b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78

General

Target

b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe
Size

43KB
MD5

3e89b7f7efb7198e47a7d9fc3a6dc566
SHA1

6e231218efac0fecceb9537a3377baf867bfe7c6
SHA256

b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78
SHA512

156c104b8cd3eb3a0c2045aa8be784aa227a7430e8523cd14897e0b3f4eb7bc4aa61c0daed7abda66219db078818ccdb35421ab83cbc4aee5e23cf84286bb93f

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

192.168.1.4:7777

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

BoostTrater.exeServer.exeServer.exe

pid process

1648 BoostTrater.exe
912 Server.exe
1752 Server.exe
Loads dropped DLL 1 IoCs

Processes:

b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe

pid process

1304 b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1332 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

BoostTrater.exe

pid process

1648 BoostTrater.exe

pid	process
1648	BoostTrater.exe
912	Server.exe
1752	Server.exe

pid	process
1304	b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe

pid	process
1332	schtasks.exe

pid	process
1648	BoostTrater.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

BoostTrater.exe

description	pid	process
Token: SeDebugPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe
Token: 33	1648	BoostTrater.exe
Token: SeIncBasePriorityPrivilege	1648	BoostTrater.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exeBoostTrater.exetaskeng.exe

description	pid	process	target process
PID 1304 wrote to memory of 1648	1304	b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe	BoostTrater.exe
PID 1304 wrote to memory of 1648	1304	b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe	BoostTrater.exe
PID 1304 wrote to memory of 1648	1304	b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe	BoostTrater.exe
PID 1304 wrote to memory of 1648	1304	b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe	BoostTrater.exe
PID 1648 wrote to memory of 1332	1648	BoostTrater.exe	schtasks.exe
PID 1648 wrote to memory of 1332	1648	BoostTrater.exe	schtasks.exe
PID 1648 wrote to memory of 1332	1648	BoostTrater.exe	schtasks.exe
PID 1648 wrote to memory of 1332	1648	BoostTrater.exe	schtasks.exe
PID 1184 wrote to memory of 912	1184	taskeng.exe	Server.exe
PID 1184 wrote to memory of 912	1184	taskeng.exe	Server.exe
PID 1184 wrote to memory of 912	1184	taskeng.exe	Server.exe
PID 1184 wrote to memory of 912	1184	taskeng.exe	Server.exe
PID 1184 wrote to memory of 1752	1184	taskeng.exe	Server.exe
PID 1184 wrote to memory of 1752	1184	taskeng.exe	Server.exe
PID 1184 wrote to memory of 1752	1184	taskeng.exe	Server.exe
PID 1184 wrote to memory of 1752	1184	taskeng.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe
"C:\Users\Admin\AppData\Local\Temp\b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\BoostTrater.exe
"C:\Users\Admin\AppData\Local\Temp\BoostTrater.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\taskeng.exe
taskeng.exe {048C0900-A1D7-424F-A396-87BFE90CD8F2} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BoostTrater.exe
Filesize
43KB

MD5
3e89b7f7efb7198e47a7d9fc3a6dc566

SHA1
6e231218efac0fecceb9537a3377baf867bfe7c6

SHA256
b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78

SHA512
156c104b8cd3eb3a0c2045aa8be784aa227a7430e8523cd14897e0b3f4eb7bc4aa61c0daed7abda66219db078818ccdb35421ab83cbc4aee5e23cf84286bb93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoostTrater.exe
Filesize
43KB

MD5
3e89b7f7efb7198e47a7d9fc3a6dc566

SHA1
6e231218efac0fecceb9537a3377baf867bfe7c6

SHA256
b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78

SHA512
156c104b8cd3eb3a0c2045aa8be784aa227a7430e8523cd14897e0b3f4eb7bc4aa61c0daed7abda66219db078818ccdb35421ab83cbc4aee5e23cf84286bb93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
3e89b7f7efb7198e47a7d9fc3a6dc566

SHA1
6e231218efac0fecceb9537a3377baf867bfe7c6

SHA256
b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78

SHA512
156c104b8cd3eb3a0c2045aa8be784aa227a7430e8523cd14897e0b3f4eb7bc4aa61c0daed7abda66219db078818ccdb35421ab83cbc4aee5e23cf84286bb93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
3e89b7f7efb7198e47a7d9fc3a6dc566

SHA1
6e231218efac0fecceb9537a3377baf867bfe7c6

SHA256
b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78

SHA512
156c104b8cd3eb3a0c2045aa8be784aa227a7430e8523cd14897e0b3f4eb7bc4aa61c0daed7abda66219db078818ccdb35421ab83cbc4aee5e23cf84286bb93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
3e89b7f7efb7198e47a7d9fc3a6dc566

SHA1
6e231218efac0fecceb9537a3377baf867bfe7c6

SHA256
b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78

SHA512
156c104b8cd3eb3a0c2045aa8be784aa227a7430e8523cd14897e0b3f4eb7bc4aa61c0daed7abda66219db078818ccdb35421ab83cbc4aee5e23cf84286bb93f

Download Submit
\Users\Admin\AppData\Local\Temp\BoostTrater.exe
Filesize
43KB

MD5
3e89b7f7efb7198e47a7d9fc3a6dc566

SHA1
6e231218efac0fecceb9537a3377baf867bfe7c6

SHA256
b3b6165383cd36c4384b63335c8405dbee8dd322815654ca40a9e446739a3d78

SHA512
156c104b8cd3eb3a0c2045aa8be784aa227a7430e8523cd14897e0b3f4eb7bc4aa61c0daed7abda66219db078818ccdb35421ab83cbc4aee5e23cf84286bb93f

Download Submit
memory/912-66-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download
memory/912-64-0x0000000000000000-mapping.dmp

Download
memory/1304-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1304-54-0x00000000011A0000-0x00000000011B2000-memory.dmp

Filesize
72KB

Download
memory/1332-61-0x0000000000000000-mapping.dmp

Download
memory/1648-57-0x0000000000000000-mapping.dmp

Download
memory/1648-60-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download
memory/1752-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads