njrat | 1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907

General

Target

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe
Size

601KB
MD5

d9c8bd38f224c7a9708ea0699ea0411b
SHA1

81d7ef1b4ab40e8aecedfc0964498d023c398b56
SHA256

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907
SHA512

8fa732f8d262911ca152b3555a2d134fe3919d105710f1c0877c60f2524113676c27910497171ca713082041480d0173064be6666ec23b93faee2ea2933f9b8a

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

134.249.177.58:1604

Mutex

262f5018bfdda234f289191972a2bad6

Attributes

reg_key
262f5018bfdda234f289191972a2bad6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

rascripten.exesvhost.exe

pid process

1692 rascripten.exe
1520 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

RegAsm.exe

pid process

1996 RegAsm.exe

pid	process
1692	rascripten.exe
1520	svhost.exe

pid	process
1996	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\chome_exe = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\chome_exe.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\chome_exe = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\chome_exe.exe"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exerascripten.exe

description	pid	process	target process
PID 388 set thread context of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 1692 set thread context of 1080	1692	rascripten.exe	RegAsm.exe

Drops file in Windows directory 3 IoCs

Processes:

RegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe
File created	C:\Windows\svhost.exe	RegAsm.exe
File opened for modification	C:\Windows\svhost.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1880 powershell.exe
1100 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1880 powershell.exe
Token: SeDebugPrivilege 1100 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

336 DllHost.exe

pid	process
1880	powershell.exe
1100	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe

pid	process
336	DllHost.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exeRegAsm.exerascripten.exeRegAsm.exe

description	pid	process	target process
PID 388 wrote to memory of 1880	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	powershell.exe
PID 388 wrote to memory of 1880	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	powershell.exe
PID 388 wrote to memory of 1880	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	powershell.exe
PID 388 wrote to memory of 1880	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	powershell.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 388 wrote to memory of 1996	388	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 1996 wrote to memory of 1692	1996	RegAsm.exe	rascripten.exe
PID 1996 wrote to memory of 1692	1996	RegAsm.exe	rascripten.exe
PID 1996 wrote to memory of 1692	1996	RegAsm.exe	rascripten.exe
PID 1996 wrote to memory of 1692	1996	RegAsm.exe	rascripten.exe
PID 1692 wrote to memory of 1100	1692	rascripten.exe	powershell.exe
PID 1692 wrote to memory of 1100	1692	rascripten.exe	powershell.exe
PID 1692 wrote to memory of 1100	1692	rascripten.exe	powershell.exe
PID 1692 wrote to memory of 1100	1692	rascripten.exe	powershell.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1692 wrote to memory of 1080	1692	rascripten.exe	RegAsm.exe
PID 1080 wrote to memory of 1520	1080	RegAsm.exe	svhost.exe
PID 1080 wrote to memory of 1520	1080	RegAsm.exe	svhost.exe
PID 1080 wrote to memory of 1520	1080	RegAsm.exe	svhost.exe
PID 1080 wrote to memory of 1520	1080	RegAsm.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe
"C:\Users\Admin\AppData\Local\Temp\1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe' -Value '"C:\Users\Admin\AppData\Roaming\vlc\chome_exe.exe"' -PropertyType 'String'
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\rascripten.exe
"C:\Users\Admin\AppData\Local\Temp\rascripten.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe' -Value '"C:\Users\Admin\AppData\Roaming\vlc\chome_exe.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
5⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\505004b3d8477cd3f5f6ce6e38a5bddd.jpg
Filesize
89KB

MD5
b3aa3d966717eb722f2b125adb8cd2bf

SHA1
322f31885651daab9300357250f57acf63e77223

SHA256
13175b89d9de8e6cea9a5d8655445da96230b327abb30dc38fa7ee1b94a39486

SHA512
a0bcf8460fe3d28ee1cc2956a200f252479d4612e74a45ed8aa207e6125466cc011ade17cb9d6a80e6408ec9b2202709c3b3a068b8168b8b4197f4dee1c61ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rascripten.exe
Filesize
321KB

MD5
42ff1d9269a62e9b2e00def6b377e060

SHA1
115f05436b0e0fc554478cb336bcfb298c17b065

SHA256
d052a1c250cf3b6c34a905e278ddcc6a6a98fa95f7a455f61e7e32bfbcfe4770

SHA512
cebb74db003d2128d549ad0f088b2fbace339afd995b3b9408cf6b678e5f5a6c5298e2c2d89e07b498b68d215f4f5ff681fa652a9f6eefd6de83c478f344e55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rascripten.exe
Filesize
321KB

MD5
42ff1d9269a62e9b2e00def6b377e060

SHA1
115f05436b0e0fc554478cb336bcfb298c17b065

SHA256
d052a1c250cf3b6c34a905e278ddcc6a6a98fa95f7a455f61e7e32bfbcfe4770

SHA512
cebb74db003d2128d549ad0f088b2fbace339afd995b3b9408cf6b678e5f5a6c5298e2c2d89e07b498b68d215f4f5ff681fa652a9f6eefd6de83c478f344e55e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f36694a2294e44c2e1b759793dd3892e

SHA1
eaf59dc5e88351ce01e298e6a441d78035b45404

SHA256
df39d0f34610c9f927840add57b0c42ae6c7fec427aed44168f9da7c50eaca4f

SHA512
26536d7ddd665ec6687c3da3c678bb817ac9dd3f12cd68cf732d94bf6eb7ebc4a6a53f3118c13fcbbd5314eea10f50be5c4b50f23c2c0895397e6018cb392c39

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\chome_exe.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svhost.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Windows\svhost.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\rascripten.exe
Filesize
321KB

MD5
42ff1d9269a62e9b2e00def6b377e060

SHA1
115f05436b0e0fc554478cb336bcfb298c17b065

SHA256
d052a1c250cf3b6c34a905e278ddcc6a6a98fa95f7a455f61e7e32bfbcfe4770

SHA512
cebb74db003d2128d549ad0f088b2fbace339afd995b3b9408cf6b678e5f5a6c5298e2c2d89e07b498b68d215f4f5ff681fa652a9f6eefd6de83c478f344e55e

Download Submit
memory/388-54-0x0000000001330000-0x00000000013CC000-memory.dmp

Filesize
624KB

Download
memory/388-55-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/388-56-0x00000000006D0000-0x0000000000728000-memory.dmp

Filesize
352KB

Download
memory/1080-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-91-0x000000000040ABBE-mapping.dmp

Download
memory/1080-93-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1100-99-0x00000000708F0000-0x0000000070E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-84-0x0000000000000000-mapping.dmp

Download
memory/1520-103-0x0000000001320000-0x0000000001332000-memory.dmp

Filesize
72KB

Download
memory/1520-100-0x0000000000000000-mapping.dmp

Download
memory/1692-72-0x0000000000000000-mapping.dmp

Download
memory/1692-82-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1692-75-0x0000000000B20000-0x0000000000B76000-memory.dmp

Filesize
344KB

Download
memory/1880-79-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-80-0x0000000074F60000-0x000000007550B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-57-0x0000000000000000-mapping.dmp

Download
memory/1996-78-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-68-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-65-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-66-0x0000000000401AE1-mapping.dmp

Download
memory/1996-63-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-62-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-61-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-60-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1996-59-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads