njrat | fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8

General

Target

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Size

181KB
MD5

0c9f666b100f08c29b172503c855f985
SHA1

20fff63d2e1afa452162f5224d7d7114e97afbf1
SHA256

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8
SHA512

59f3065b4c5879c15bef58e0814249464a1e3777a800c7443073e6b96003d14c61e36956e411afaf674b245223d02cd723afcaf75c8d7fea3ee9b252859e6264

Score

10^/10

njrat cass evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cass

C2

107.167.244.67:31922

Mutex

cf6e3f95a16ddd65e5d5ff36b6f40c8d

Attributes

reg_key
cf6e3f95a16ddd65e5d5ff36b6f40c8d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4700 netsh.exe

pid	process
4700	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe

description	pid	process	target process
PID 2596 set thread context of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

388 schtasks.exe

pid	process
388	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe

description	pid	process
Token: SeDebugPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: 33	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: SeIncBasePriorityPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: 33	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: SeIncBasePriorityPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: 33	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: SeIncBasePriorityPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: 33	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: SeIncBasePriorityPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: 33	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: SeIncBasePriorityPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: 33	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: SeIncBasePriorityPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: 33	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
Token: SeIncBasePriorityPrivilege	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exefbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe

description	pid	process	target process
PID 2596 wrote to memory of 388	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	schtasks.exe
PID 2596 wrote to memory of 388	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	schtasks.exe
PID 2596 wrote to memory of 388	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	schtasks.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2596 wrote to memory of 2100	2596	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
PID 2100 wrote to memory of 4700	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	netsh.exe
PID 2100 wrote to memory of 4700	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	netsh.exe
PID 2100 wrote to memory of 4700	2100	fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
"C:\Users\Admin\AppData\Local\Temp\fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oXhuYRpyK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A83.tmp"
2⤵
- Creates scheduled task(s)
PID:388

C:\Users\Admin\AppData\Local\Temp\fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe
"C:\Users\Admin\AppData\Local\Temp\fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe" "fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fbebd1bf86a052ff5e4540eda267776c71ad870911e53c2e5f40e8fa66f8d2b8.exe.log
Filesize
500B

MD5
160ee0aa7ac71bf18a4a8a17eae6d075

SHA1
c874f317c3d77b739e3d6c60471801bff9f87971

SHA256
540c64bca451d41b3b1a6d822775115fe86bca5d54b7e762f01fcf2328d9ee3a

SHA512
5a0eac7f33127ef21958cb38b562df325863711e502a89ad3298dc979a55d5d4251cbf8f708a8008ba96a7088190ae2372e9d408e3ce04068b29ba21108a62cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A83.tmp
Filesize
1KB

MD5
8bcf3204b416e45a62d0fada39d9c7b3

SHA1
a6ed07c59e422b58989ab5547aa5dda3a4566827

SHA256
246e7cfd3f3925fe45ac8af22ed191bbe625f7dad899d777b41306cd08b12b85

SHA512
a668115eaf41647e2e4aecc5636be8970b4882447a12644a60df428e3b89180dfe6f0c51c614ed5c251508dc32e81180a6fae757f21734a716c05909ac456c12

Download Submit
memory/388-132-0x0000000000000000-mapping.dmp

Download
memory/2100-134-0x0000000000000000-mapping.dmp

Download
memory/2100-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2100-138-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/2100-140-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-130-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-131-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-137-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4700-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads