njrat | da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed

General

Target

da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe
Size

43KB
MD5

2cbedbd088a2d679fa54e49f1ca04f07
SHA1

933e21bf76b0d6c43e670c58ce32a7785696bb1a
SHA256

da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed
SHA512

25144360822c308cc22b8f4f722fed662390aac5d0460452dcdd01445e996fe3982514cf976ae3ef129795d8fa565fcb992acd438eafa3fa20b975278b99ae9b

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

gazik500,ddns.net:9292

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Eroxt.exe

pid process

4872 Eroxt.exe

pid	process
4872	Eroxt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exeEroxt.exe

pid process

4328 da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe
4872 Eroxt.exe

pid	process
4328	da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe
4872	Eroxt.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Eroxt.exe

description	pid	process
Token: SeDebugPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe
Token: 33	4872	Eroxt.exe
Token: SeIncBasePriorityPrivilege	4872	Eroxt.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe

description	pid	process	target process
PID 4328 wrote to memory of 4872	4328	da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe	Eroxt.exe
PID 4328 wrote to memory of 4872	4328	da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe	Eroxt.exe
PID 4328 wrote to memory of 4872	4328	da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe	Eroxt.exe

C:\Users\Admin\AppData\Local\Temp\da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe
"C:\Users\Admin\AppData\Local\Temp\da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\Eroxt.exe
"C:\Users\Admin\AppData\Local\Temp\Eroxt.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eroxt.exe
Filesize
43KB

MD5
2cbedbd088a2d679fa54e49f1ca04f07

SHA1
933e21bf76b0d6c43e670c58ce32a7785696bb1a

SHA256
da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed

SHA512
25144360822c308cc22b8f4f722fed662390aac5d0460452dcdd01445e996fe3982514cf976ae3ef129795d8fa565fcb992acd438eafa3fa20b975278b99ae9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eroxt.exe
Filesize
43KB

MD5
2cbedbd088a2d679fa54e49f1ca04f07

SHA1
933e21bf76b0d6c43e670c58ce32a7785696bb1a

SHA256
da1e7c7c27b4846da4557a0b766285dffcf4be704327afad1eaa2fe75b42e5ed

SHA512
25144360822c308cc22b8f4f722fed662390aac5d0460452dcdd01445e996fe3982514cf976ae3ef129795d8fa565fcb992acd438eafa3fa20b975278b99ae9b

Download Submit
memory/4328-130-0x0000000000030000-0x0000000000042000-memory.dmp

Filesize
72KB

Download
memory/4328-131-0x00000000049F0000-0x0000000004A8C000-memory.dmp

Filesize
624KB

Download
memory/4328-132-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/4328-133-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/4872-134-0x0000000000000000-mapping.dmp

Download
memory/4872-137-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads