njrat | b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c

General

Target

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
Size

3.3MB
MD5

4b5522eebcad10beac06216513281c63
SHA1

ec0fa68acfb0461a283df076b239191a69fed59a
SHA256

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c
SHA512

9f233a6dc82c59f8bb0e97a92325de7f3abc11bc4999db8a365b8fab86dc07e69fa67f1ab59fccda13c4b40786e3265e0d41da8b967f4f392a602dc6198fc51a

Score

10^/10

njrat lime suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

0.tcp.ngrok.io:17495

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
123456

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata
Executes dropped EXE 2 IoCs

Processes:

DomerServerHack_2.0.exeNew Client.exe

pid process

4572 DomerServerHack_2.0.exe
4752 New Client.exe

pid	process
4572	DomerServerHack_2.0.exe
4752	New Client.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

New Client.exe

description	pid	process
Token: SeDebugPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe
Token: 33	4752	New Client.exe
Token: SeIncBasePriorityPrivilege	4752	New Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe

description	pid	process	target process
PID 5104 wrote to memory of 4572	5104	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	DomerServerHack_2.0.exe
PID 5104 wrote to memory of 4572	5104	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	DomerServerHack_2.0.exe
PID 5104 wrote to memory of 4572	5104	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	DomerServerHack_2.0.exe
PID 5104 wrote to memory of 4752	5104	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	New Client.exe
PID 5104 wrote to memory of 4752	5104	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	New Client.exe
PID 5104 wrote to memory of 4752	5104	b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe	New Client.exe

C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe
"C:\Users\Admin\AppData\Local\Temp\b251f070fcb0f3860976575737f90608919b194d7063a85981eee96cc85d7e7c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe
"C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe"
2⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe
Filesize
3.3MB

MD5
f6a0747b7a3be4bf1d4c03f22f07581d

SHA1
2990bd60d1db46ebfcd2642d44611067d49c9085

SHA256
4010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4

SHA512
524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DomerServerHack_2.0.exe
Filesize
3.3MB

MD5
f6a0747b7a3be4bf1d4c03f22f07581d

SHA1
2990bd60d1db46ebfcd2642d44611067d49c9085

SHA256
4010c544fc5fa52d76a7cde04990f4c03ca4206ce9f7e562dd9f36a7b3cff5b4

SHA512
524c3587b5852eeff8fec78320ee76e6838bf149049accbd050b7fb5fa874b51fe54fb89c052fb12e6ad8662170dbe67d8a545ac56befa8482f98a675ff5907f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe
Filesize
78KB

MD5
0198215c77cb31181a484b8aa1ee2c7f

SHA1
a5bbb8d8f740f83774dc3d74410ec0d39b31eea3

SHA256
5a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899

SHA512
488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe
Filesize
78KB

MD5
0198215c77cb31181a484b8aa1ee2c7f

SHA1
a5bbb8d8f740f83774dc3d74410ec0d39b31eea3

SHA256
5a5af4428ce31293d9a101415fceee530ea46260d45c437cf8de6b76db933899

SHA512
488b7b4ec514f45753781f76265bd1f625ba53cd215c395b22c5ed19edf101ff218d17979cf01f5aba3f9d86aa8c22015076efd86d363d1d751019b8e81f6233

Download Submit
memory/4572-130-0x0000000000000000-mapping.dmp

Download
memory/4572-137-0x0000000000E30000-0x000000000117C000-memory.dmp

Filesize
3.3MB

Download
memory/4572-138-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/4572-139-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/4572-140-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/4752-133-0x0000000000000000-mapping.dmp

Download
memory/4752-136-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads