njrat | 1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0

General

Target

1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe
Size

37KB
MD5

8a3c07e101a69711eee5c4f21c4a5199
SHA1

86c4438cb25b6bc2e7f4b3865f809bddcd7ea096
SHA256

1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0
SHA512

8b582230e9a67397fd3f36fd1b9c91331852332b27807696faf809163b6474384a6aa6c3599c96d7b6d25ee917fea962f6af8a334045103c4687f9302b8ed62e

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

192.168.0.12:5552

Mutex

536ec81ea4d08ca810ee637d596cf35e

Attributes

reg_key
536ec81ea4d08ca810ee637d596cf35e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Discordinstaler.exe

pid process

4248 Discordinstaler.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
4248	Discordinstaler.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Discordinstaler.exe

description	pid	process
Token: SeDebugPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe
Token: 33	4248	Discordinstaler.exe
Token: SeIncBasePriorityPrivilege	4248	Discordinstaler.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exeDiscordinstaler.exe

description	pid	process	target process
PID 2992 wrote to memory of 4248	2992	1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe	Discordinstaler.exe
PID 2992 wrote to memory of 4248	2992	1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe	Discordinstaler.exe
PID 2992 wrote to memory of 4248	2992	1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe	Discordinstaler.exe
PID 4248 wrote to memory of 3188	4248	Discordinstaler.exe	netsh.exe
PID 4248 wrote to memory of 3188	4248	Discordinstaler.exe	netsh.exe
PID 4248 wrote to memory of 3188	4248	Discordinstaler.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe
"C:\Users\Admin\AppData\Local\Temp\1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\Discordinstaler.exe
"C:\Users\Admin\AppData\Local\Temp\Discordinstaler.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Discordinstaler.exe" "Discordinstaler.exe" ENABLE
3⤵
PID:3188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Discordinstaler.exe
Filesize
37KB

MD5
8a3c07e101a69711eee5c4f21c4a5199

SHA1
86c4438cb25b6bc2e7f4b3865f809bddcd7ea096

SHA256
1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0

SHA512
8b582230e9a67397fd3f36fd1b9c91331852332b27807696faf809163b6474384a6aa6c3599c96d7b6d25ee917fea962f6af8a334045103c4687f9302b8ed62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discordinstaler.exe
Filesize
37KB

MD5
8a3c07e101a69711eee5c4f21c4a5199

SHA1
86c4438cb25b6bc2e7f4b3865f809bddcd7ea096

SHA256
1c01402caca44bb88644241d8759f29b5ab70bce7640429485c1ab42d35f54b0

SHA512
8b582230e9a67397fd3f36fd1b9c91331852332b27807696faf809163b6474384a6aa6c3599c96d7b6d25ee917fea962f6af8a334045103c4687f9302b8ed62e

Download Submit
memory/2992-130-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-135-0x0000000000000000-mapping.dmp

Download
memory/4248-131-0x0000000000000000-mapping.dmp

Download
memory/4248-134-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads