njrat | 7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9

Analysis

max time kernel
9s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe
Size

3.3MB
MD5

5fdb4467d3af6354416696aeab904fe3
SHA1

a6faa74248c429e454744e0d8de759b5ec4ee6e6
SHA256

7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9
SHA512

e39a36b691346f489673c5d3656d8d7208a893e48a3f5b714aebad0640864af21854777865e9a8c91ed2bd845621c1d98703a27be1a6ccf1bcade3a05889a215

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

OpenPort5327-59758.portmap.io:59758

Mutex

bc3cca920e0c4884738f7af46734518b

Attributes

reg_key
bc3cca920e0c4884738f7af46734518b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

CDS.exe

pid process

1828 CDS.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1532 netsh.exe
Loads dropped DLL 3 IoCs

Processes:

7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exeCDS.exe

pid process

1632 7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe
1828 CDS.exe
1828 CDS.exe

pid	process
1828	CDS.exe

pid	process
1532	netsh.exe

pid	process
1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe
1828	CDS.exe
1828	CDS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CDS.exe

pid process

1828 CDS.exe

pid	process
1828	CDS.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe

description	pid	process	target process
PID 1632 wrote to memory of 1828	1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe	CDS.exe
PID 1632 wrote to memory of 1828	1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe	CDS.exe
PID 1632 wrote to memory of 1828	1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe	CDS.exe
PID 1632 wrote to memory of 1828	1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe	CDS.exe
PID 1632 wrote to memory of 1828	1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe	CDS.exe
PID 1632 wrote to memory of 1828	1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe	CDS.exe
PID 1632 wrote to memory of 1828	1632	7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe	CDS.exe

C:\Users\Admin\AppData\Local\Temp\7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe
"C:\Users\Admin\AppData\Local\Temp\7a535a6d9d4925e4c30b23a00bee6e90f50e69e2d7fa702e49b5bc7b7ec770f9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
PID:1396

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe" "crypted.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
19KB

MD5
10626d1591c2239dddd9d18fa7a63f7c

SHA1
f88a9429306ceaa3c12f33fc39a11598a24e9264

SHA256
10b99863eee41e52ca6c2b3dcc2ab6a34ca6edcba093dd29652056ad8d6098d2

SHA512
247de839d9b06038b80927ec83c9ee6d59c7a071f54400ea20a88448abb5a3fbe0ef832ca1ef2ab3b81fbfb75e965fa14118c2d2af5a7ca527805dce3ddd0029

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
22KB

MD5
0b3686cfc1504a6d1cf23b7633b744d3

SHA1
19b471d3ed9a5c9fcd34d1430a9021fff76348b6

SHA256
3a5b8a88e72bdf8327069a063a5fb4e474fdcb6a7b6ae4280475f9db76cc2fb4

SHA512
02ccdfd2665a6d3da4d42f1ec3b2cbf3b41877f330836959c7ac2b76a7b2a85ba53d3741f49b937e53d2e23a2e90f0a2ffa8dfd626dd4c21a59fc7e90b06ddb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
27KB

MD5
88cc21190d5e4c79be22d36fc7705b39

SHA1
fb52fbd238a93fc216279866906ebeb4049f2574

SHA256
746fc1e164703d631826157af6a136cbb210e1a06f4daa67bf5597a19bdda954

SHA512
4fba6d8310aa831f093b9c1176a76df77dda8ef497f1898e04252408bee4c57ed743305175152be8b4d520eac5be61886df8c071c328912d92d68511e21f75c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
89225aca6f6204ed41577299d32a0aac

SHA1
c89d32f2ffafce9d2127e5c96ab64fb5d7e51a2a

SHA256
9f786edc3b89b647ec27f5c67b3a0ba5bba6cf3d9faaf6271764b1698229798e

SHA512
7ae576a22ae5a6ce284b18a8276cce357394a9b2aec2b7500194047f2026226e68416270cd993b50af96ff7627bf3501e1608649a8aa1776a78a03abc55f53f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
1c1991fd3388c306c3f413837dd637b5

SHA1
59be340adb472a9475b8e8ea291aaea07d4fd204

SHA256
bebea5b15458cc781b306a9fac3bee6b857aa6c9bf97e38bc665597f9be6523c

SHA512
136ec0f50ecd66c3d746713eef15ba2a13bc32fa0a61daf7f97fe0e0722d2e597e1db39e24990e2c8a2b76005bad7df7290ca058a120ffbbe9800886aedd62c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
27KB

MD5
5de50c6135017f707ac48fa73be981b3

SHA1
2e57bf5357eee76f9de527fa4b5493f2ae3ba782

SHA256
83f525a2857e3e70aca6b8f06f6e6feb1337599d629a1e0482551be02b345a4f

SHA512
7a53a15bc320fa1df407edea7332d38dbce56d2b63ca5229264a06543aeac307a0888865fcd4c462f32d41f43c2a395996ab3dc6b044e524ac8cf745036e0b45

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
7KB

MD5
7a4e32942dc1cdb4b3652d37319489e9

SHA1
5bfdc0f6a2f294f50f4f1c9ad55ec9e5a0e0aa02

SHA256
c6b210c4340ee0bd43a91956fb94a80568a6ba225532cf3be58e1f789f781692

SHA512
a8f920f9717f5b85695b10cbbb750ae41f874d3e086e8ae4512c52e6daf744ee06585c272e32099d85e261cb944b9e6335870fecdb2e6c5e1d17aac01f901a15

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
10KB

MD5
d43cdf2687b80b71a2f3795d1e7c8426

SHA1
8087541c9c46635078fda6d81324f582dad3fb32

SHA256
5f5252641095c8bc7f3f20a20adcdd13b031eb0522bfb44038f9ac26a281cf45

SHA512
485e91c1678784ce9bbf155d0553bf644acf39bed841c6f51f0bdf7c41f456f62c79c9a3ad178e2581d6473b5541bcd9384719b62715fdbae6058a54c45465c5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
28KB

MD5
94d0454718361c8ea81e3af653ede837

SHA1
e1b3f24c5d64f9a20327612d79b98b31692c7332

SHA256
ee04b69228c753c836970ab6a79a63cfa2f599d2f75a8be83f17597adf8130f2

SHA512
8c3a92ea39267becd97ee097cb92f88dfbf2d11d4342d40a7774cb5ad12d35954b19ae23f4a6a13976917ba3d5d7f384cbeb27b900dbe2a3c00c4a391980b82c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
32KB

MD5
42ad5df88bd06145e2070895def1082b

SHA1
802e0ec1649d2cb2c680d252cae0b8eff45b5a4b

SHA256
b3548b3d9a26754460702252bce871750f848786bc8072215eaefa83fa2c8967

SHA512
d06ecaf8aa3bbec4f4dfc98751883c9d9b005ddf53a57c8b14e7d6b2690cc3046a7dfa3e25a6b41562f54f4173c5a1e813a1407def1ef006d78409aa4727161f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
26KB

MD5
b050ee20c1fc8da7e497795477e0ae27

SHA1
f6a47d677c84e423f662b719981c9b62edfd3ddf

SHA256
422d87e49a1eae72ad80c5f4b2aa34e3a35dc7f19fc40c6dcf118a990db7649d

SHA512
d7271d5841f20c870c9bb6d4dd60b9be936370c8aaf8b1d85daa5a5e79ccc5fbceecf175718813996920221486ef50fcd025ba3b213906377f3b862fe778ec1b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
37KB

MD5
bb38fcc12f22e893d7a384d719cd5f08

SHA1
c7f25ccffa3dfef9e31651fabdb46787e1fb46c0

SHA256
7d70167dc81c6a9a375032d5398807f83060c6b8fb0658f1e330f71e397ee0a9

SHA512
3cd08b3876c223a9d363c3765a57da4cf5f03f87259e5454af938251de4c135f1bfbca8dce3028be6fba8631beba34dfa51defa8bb81b6822c5d77ffc536fade

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
10KB

MD5
9f24ec5f1e71f058e9414366ad2f0cf8

SHA1
5fd500a17e07419ba34b77aee3140f29619d97d2

SHA256
de35f6fff1f924dd13b91bdfbc52d326a8b47d1f20b46f9f6ca2a97d45999331

SHA512
cc856240ff798f8f0167c253d52ee2d2be5486c7aa4bc0b6b71e45cf113979bb65f5618fae3dd7fff9059ab21e1b2041facc3438dbc1a06723dbb8c2906de6b7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
25KB

MD5
32579910d3a2bd76cdf63fea43008811

SHA1
be2bd03cb658194ba511b5cdc0aec0a60811caf4

SHA256
9a9f2537b4107ba21ddac863eab8f3e57260eb724161cb75811019f860f2c970

SHA512
dbe873cf1dcf9ff96ca8dd38f0d658dc5243cc430367613d5b22a8966a9a82911f79b397a53389628c8b12dee2db88eca8a899c880a45fa7dcbb350e94088755

Download Submit
memory/1396-71-0x0000000000000000-mapping.dmp

Download
memory/1396-76-0x0000000072F10000-0x00000000734BB000-memory.dmp

Filesize
5.7MB

Download
memory/1532-77-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1828-56-0x0000000000000000-mapping.dmp

Download