njrat | b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c

General

Target

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
Size

3.3MB
MD5

4b5522eebcad10beac06216513281c63
SHA1

ec0fa68acfb0461a283df076b239191a69fed59a
SHA256

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c
SHA512

9f233a6dc82c59f8bb0e97a92325de7f3abc11bc4999db8a365b8fab86dc07e69fa67f1ab59fccda13c4b40786e3265e0d41da8b967f4f392a602dc6198fc51a

Score

10^/10

njrat lime suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

0.tcp.ngrok.io:17495

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
123456

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata
Executes dropped EXE 2 IoCs

Processes:

DomerServerHack_2.0.exeNew Client.exe

pid process

1768 DomerServerHack_2.0.exe
1592 New Client.exe

pid	process
1768	DomerServerHack_2.0.exe
1592	New Client.exe

Loads dropped DLL 2 IoCs

Processes:

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe

pid	process
1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

New Client.exe

description	pid	process
Token: SeDebugPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe
Token: 33	1592	New Client.exe
Token: SeIncBasePriorityPrivilege	1592	New Client.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe

description	pid	process	target process
PID 1368 wrote to memory of 1768	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	DomerServerHack_2.0.exe
PID 1368 wrote to memory of 1768	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	DomerServerHack_2.0.exe
PID 1368 wrote to memory of 1768	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	DomerServerHack_2.0.exe
PID 1368 wrote to memory of 1768	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	DomerServerHack_2.0.exe
PID 1368 wrote to memory of 1592	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	New Client.exe
PID 1368 wrote to memory of 1592	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	New Client.exe
PID 1368 wrote to memory of 1592	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	New Client.exe
PID 1368 wrote to memory of 1592	1368	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	New Client.exe

C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
"C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe
"C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe"
2⤵
- Executes dropped EXE
PID:1768

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe
Filesize
3.3MB

MD5
f6a0747b7a3be4bf1d4c03f22f07581d

SHA1
2990bd60d1db46ebfcd2642d44611067d49c9085

SHA256
4010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4

SHA512
524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe
Filesize
3.3MB

MD5
f6a0747b7a3be4bf1d4c03f22f07581d

SHA1
2990bd60d1db46ebfcd2642d44611067d49c9085

SHA256
4010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4

SHA512
524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe
Filesize
78KB

MD5
0198215c77cb31181a484b8aa1ee2c7f

SHA1
a5bbb8d8f740f83774dc3d74410ec0d39b31eea3

SHA256
5a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899

SHA512
488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe
Filesize
78KB

MD5
0198215c77cb31181a484b8aa1ee2c7f

SHA1
a5bbb8d8f740f83774dc3d74410ec0d39b31eea3

SHA256
5a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899

SHA512
488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233

Download Submit
\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe
Filesize
3.3MB

MD5
f6a0747b7a3be4bf1d4c03f22f07581d

SHA1
2990bd60d1db46ebfcd2642d44611067d49c9085

SHA256
4010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4

SHA512
524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f

Download Submit
\Users\Admin\AppData\Local\Temp\New Client.exe
Filesize
78KB

MD5
0198215c77cb31181a484b8aa1ee2c7f

SHA1
a5bbb8d8f740f83774dc3d74410ec0d39b31eea3

SHA256
5a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899

SHA512
488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233

Download Submit
memory/1368-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1592-60-0x0000000000000000-mapping.dmp

Download
memory/1592-66-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-56-0x0000000000000000-mapping.dmp

Download
memory/1768-64-0x0000000000290000-0x00000000005DC000-memory.dmp

Filesize
3.3MB

Download
memory/1768-67-0x00000000022A5000-0x00000000022B6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads