njrat | 53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926

General

Target

53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe
Size

93KB
MD5

34307aa6518e2d8793bbcc79ecee7fc0
SHA1

019d4bd745bfc4d36f196ed6ed41d81e478c0d10
SHA256

53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926
SHA512

6ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOC50Y3Aubmdyb2suaW8Strik:MTM1Nzg=

Mutex

73137daa68006467b187b2f414df684d

Attributes

reg_key
73137daa68006467b187b2f414df684d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1208 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1208	server.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe

pid	process
2024	53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe
2024	53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1208 server.exe

pid	process
1208	server.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe
Token: 33	1208	server.exe
Token: SeIncBasePriorityPrivilege	1208	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exeserver.exe

description	pid	process	target process
PID 2024 wrote to memory of 1208	2024	53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe	server.exe
PID 2024 wrote to memory of 1208	2024	53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe	server.exe
PID 2024 wrote to memory of 1208	2024	53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe	server.exe
PID 2024 wrote to memory of 1208	2024	53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe	server.exe
PID 1208 wrote to memory of 1948	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 1948	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 1948	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 1948	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 1608	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 1608	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 1608	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 1608	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 896	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 896	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 896	1208	server.exe	netsh.exe
PID 1208 wrote to memory of 896	1208	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe
"C:\Users\Admin\AppData\Local\Temp\53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:1948

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
PID:1608

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
34307aa6518e2d8793bbcc79ecee7fc0

SHA1
019d4bd745bfc4d36f196ed6ed41d81e478c0d10

SHA256
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926

SHA512
6ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
34307aa6518e2d8793bbcc79ecee7fc0

SHA1
019d4bd745bfc4d36f196ed6ed41d81e478c0d10

SHA256
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926

SHA512
6ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
53ce6d1ae8885b5d12e654469f456c83

SHA1
9d8b30c523ddef4d24134072b27716bec7d94d6f

SHA256
d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2

SHA512
c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
34307aa6518e2d8793bbcc79ecee7fc0

SHA1
019d4bd745bfc4d36f196ed6ed41d81e478c0d10

SHA256
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926

SHA512
6ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
34307aa6518e2d8793bbcc79ecee7fc0

SHA1
019d4bd745bfc4d36f196ed6ed41d81e478c0d10

SHA256
53865d1829e63413261f2353933102b40a3b2f605b6c7ba3b89b287b309ba926

SHA512
6ea91a8df045be7ea6fced1c0e67eeba4ecd1688f891a02feedd84c594eade0d67338158413fb97a8024ed4848858d2ac2cf0df656ea848d9a9af664d7177974

Download Submit
memory/896-67-0x0000000000000000-mapping.dmp

Download
memory/1208-58-0x0000000000000000-mapping.dmp

Download
memory/1208-63-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-66-0x0000000000000000-mapping.dmp

Download
memory/1948-64-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads