njrat | 1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907

General

Target

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe
Size

601KB
MD5

d9c8bd38f224c7a9708ea0699ea0411b
SHA1

81d7ef1b4ab40e8aecedfc0964498d023c398b56
SHA256

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907
SHA512

8fa732f8d262911ca152b3555a2d134fe3919d105710f1c0877c60f2524113676c27910497171ca713082041480d0173064be6666ec23b93faee2ea2933f9b8a

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

134.249.177.58:1604

Mutex

262f5018bfdda234f289191972a2bad6

Attributes

reg_key
262f5018bfdda234f289191972a2bad6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

rascripten.exesvhost.exe

pid process

4980 rascripten.exe
4264 svhost.exe

pid	process
4980	rascripten.exe
4264	svhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chome_exe = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\chome_exe.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chome_exe = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\chome_exe.exe"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exerascripten.exe

description	pid	process	target process
PID 4380 set thread context of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4980 set thread context of 1872	4980	rascripten.exe	RegAsm.exe

Drops file in Windows directory 3 IoCs

Processes:

RegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\svhost.exe	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe
File created	C:\Windows\svhost.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2228 powershell.exe
2228 powershell.exe
1932 powershell.exe
1932 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2228 powershell.exe
Token: SeDebugPrivilege 1932 powershell.exe

pid	process
2228	powershell.exe
2228	powershell.exe
1932	powershell.exe
1932	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exeRegAsm.exerascripten.exeRegAsm.exe

description	pid	process	target process
PID 4380 wrote to memory of 2228	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	powershell.exe
PID 4380 wrote to memory of 2228	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	powershell.exe
PID 4380 wrote to memory of 2228	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	powershell.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4380 wrote to memory of 4872	4380	1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe	RegAsm.exe
PID 4872 wrote to memory of 4980	4872	RegAsm.exe	rascripten.exe
PID 4872 wrote to memory of 4980	4872	RegAsm.exe	rascripten.exe
PID 4872 wrote to memory of 4980	4872	RegAsm.exe	rascripten.exe
PID 4980 wrote to memory of 1932	4980	rascripten.exe	powershell.exe
PID 4980 wrote to memory of 1932	4980	rascripten.exe	powershell.exe
PID 4980 wrote to memory of 1932	4980	rascripten.exe	powershell.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 4980 wrote to memory of 1872	4980	rascripten.exe	RegAsm.exe
PID 1872 wrote to memory of 4264	1872	RegAsm.exe	svhost.exe
PID 1872 wrote to memory of 4264	1872	RegAsm.exe	svhost.exe
PID 1872 wrote to memory of 4264	1872	RegAsm.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe
"C:\Users\Admin\AppData\Local\Temp\1f8797a5ea837b256d7ecf7e3cd1fed52fcbd765e91c93975a69e56781806907.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe' -Value '"C:\Users\Admin\AppData\Roaming\vlc\chome_exe.exe"' -PropertyType 'String'
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\rascripten.exe
"C:\Users\Admin\AppData\Local\Temp\rascripten.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'chome_exe' -Value '"C:\Users\Admin\AppData\Roaming\vlc\chome_exe.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
5⤵
- Executes dropped EXE
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
264046ad7b68d12c27cf77b15c6cc41e

SHA1
23bfd3a2dcfe1d8ce5bff7250616760932902626

SHA256
5e079f4a681844d039a9c530a408decba76408f7131d086310497a7a3170b475

SHA512
4f653697e24e929dbb06f0f47f8a86533d6cc4edf1bc258f255ed74f97fa06431db5695c77aa83910a032681e127e65ea5d794bc1f2338639bd70ffc5b1215db

Download Submit
C:\Users\Admin\AppData\Local\Temp\rascripten.exe
Filesize
321KB

MD5
42ff1d9269a62e9b2e00def6b377e060

SHA1
115f05436b0e0fc554478cb336bcfb298c17b065

SHA256
d052a1c250cf3b6c34a905e278ddcc6a6a98fa95f7a455f61e7e32bfbcfe4770

SHA512
cebb74db003d2128d549ad0f088b2fbace339afd995b3b9408cf6b678e5f5a6c5298e2c2d89e07b498b68d215f4f5ff681fa652a9f6eefd6de83c478f344e55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rascripten.exe
Filesize
321KB

MD5
42ff1d9269a62e9b2e00def6b377e060

SHA1
115f05436b0e0fc554478cb336bcfb298c17b065

SHA256
d052a1c250cf3b6c34a905e278ddcc6a6a98fa95f7a455f61e7e32bfbcfe4770

SHA512
cebb74db003d2128d549ad0f088b2fbace339afd995b3b9408cf6b678e5f5a6c5298e2c2d89e07b498b68d215f4f5ff681fa652a9f6eefd6de83c478f344e55e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\chome_exe.exe
Filesize
321KB

MD5
42ff1d9269a62e9b2e00def6b377e060

SHA1
115f05436b0e0fc554478cb336bcfb298c17b065

SHA256
d052a1c250cf3b6c34a905e278ddcc6a6a98fa95f7a455f61e7e32bfbcfe4770

SHA512
cebb74db003d2128d549ad0f088b2fbace339afd995b3b9408cf6b678e5f5a6c5298e2c2d89e07b498b68d215f4f5ff681fa652a9f6eefd6de83c478f344e55e

Download Submit
C:\Windows\svhost.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Windows\svhost.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/1872-159-0x0000000000000000-mapping.dmp

Download
memory/1872-163-0x00000000054F0000-0x000000000558C000-memory.dmp

Filesize
624KB

Download
memory/1872-160-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1932-158-0x0000000000000000-mapping.dmp

Download
memory/2228-154-0x00000000072C0000-0x0000000007356000-memory.dmp

Filesize
600KB

Download
memory/2228-156-0x00000000067F0000-0x0000000006812000-memory.dmp

Filesize
136KB

Download
memory/2228-139-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/2228-146-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/2228-147-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/2228-143-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/2228-144-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/2228-136-0x0000000000000000-mapping.dmp

Download
memory/2228-155-0x00000000067A0000-0x00000000067BA000-memory.dmp

Filesize
104KB

Download
memory/2228-153-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/4264-164-0x0000000000000000-mapping.dmp

Download
memory/4264-167-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/4380-133-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/4380-135-0x00000000052C0000-0x00000000052DE000-memory.dmp

Filesize
120KB

Download
memory/4380-130-0x0000000000500000-0x000000000059C000-memory.dmp

Filesize
624KB

Download
memory/4380-134-0x0000000005240000-0x00000000052B6000-memory.dmp

Filesize
472KB

Download
memory/4380-132-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/4380-131-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/4872-137-0x0000000000000000-mapping.dmp

Download
memory/4872-141-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4872-152-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4872-145-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4872-138-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4980-148-0x0000000000000000-mapping.dmp

Download
memory/4980-151-0x0000000000B00000-0x0000000000B56000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads