njrat | bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656

General

Target

bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
Size

93KB
MD5

74561ab8272480ac06696738092ce507
SHA1

5182c427adf49862dcb6d2444df487c9f1bb21da
SHA256

bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA512

07a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTM1Nzg=

Mutex

73137daa68006467b187b2f414df684d

Attributes

reg_key
73137daa68006467b187b2f414df684d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

4244 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
4244	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exeserver.exe

pid process

3160 bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
4244 server.exe

pid	process
3160	bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
4244	server.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe
Token: 33	4244	server.exe
Token: SeIncBasePriorityPrivilege	4244	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exeserver.exe

description	pid	process	target process
PID 3160 wrote to memory of 4244	3160	bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe	server.exe
PID 3160 wrote to memory of 4244	3160	bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe	server.exe
PID 3160 wrote to memory of 4244	3160	bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe	server.exe
PID 4244 wrote to memory of 3956	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 3956	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 3956	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 2236	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 2236	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 2236	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 332	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 332	4244	server.exe	netsh.exe
PID 4244 wrote to memory of 332	4244	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe
"C:\Users\Admin\AppData\Local\Temp\bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:3956

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
PID:2236

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
74561ab8272480ac06696738092ce507

SHA1
5182c427adf49862dcb6d2444df487c9f1bb21da

SHA256
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656

SHA512
07a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
74561ab8272480ac06696738092ce507

SHA1
5182c427adf49862dcb6d2444df487c9f1bb21da

SHA256
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656

SHA512
07a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
f478c76bbb3174dbc7fabae62224f818

SHA1
bed239508bad9fcd15a9bdea1e132f62468d07d1

SHA256
d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a

SHA512
b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b

Download Submit
memory/332-138-0x0000000000000000-mapping.dmp

Download
memory/2236-137-0x0000000000000000-mapping.dmp

Download
memory/3160-130-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3956-136-0x0000000000000000-mapping.dmp

Download
memory/4244-131-0x0000000000000000-mapping.dmp

Download
memory/4244-135-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads