njrat | 8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed

Analysis

max time kernel
1s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe
Size

3.2MB
MD5

30fb03c95b0bab5bf680d8c08592ed46
SHA1

a3797aeb14ab3ac4f4215cca8f5dac6d9f61294b
SHA256

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed
SHA512

1567cc9902b40b9c9aa4607029e1022910129332c5a4869b005465b9fc0b444b457f918b1546393032f78e14ba5de867775bb361d629b2dcc01ba5e65f7a5387

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

127.0.0.1:1177

Mutex

212683d986fb740ad6a40184df48e604

Attributes

reg_key
212683d986fb740ad6a40184df48e604
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Loads dropped DLL 1 IoCs

Processes:

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

pid process

1680 8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

pid	process
1680	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

C:\Users\Admin\AppData\Local\Temp\8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe
"C:\Users\Admin\AppData\Local\Temp\8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
PID:1680

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
PID:1212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4
1⤵
PID:1716

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
10KB

MD5
78804992142dc59588864ad8cac91adb

SHA1
8d59928595fa3fb2a1cd2da307e69826211cc764

SHA256
a058e00501f7ef29684bb22fc1fc64d88d08019daafe42b6332e810ca9319368

SHA512
4238327540c146f7671f7ef12a11fcd116ea4912b4b4a876dcc6c7b65843bb9c871d71340aa3a92f0d26fe46df7592b6c123874551885cc99b662c1c85ed13f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
28KB

MD5
ecc73a63bafd7ce583709d703258b6e2

SHA1
ffd9ec6b0c61e4644963bfd95b41246cac054390

SHA256
9eae5862ccde32b45f658abdc2bc2518e38d73e53a2cd1e074124c5157f81407

SHA512
e514f49cd0ee41fceb222da171a1735be154b33f54a7a1ffcf92ac087985b7337b0e164833ca0105fa77f2ee363f8df414a16d6fa0261aeb53b53709aa758546

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
15KB

MD5
4a500ecc4da8b552017e723b6ce1a61a

SHA1
0e45f2d7cb7ac284bb29669eac95e7dd42afc163

SHA256
bec71841fb9cb1a6ff21c82de7450d1e0f72b636d41cf14aa1813fd945b9c4a5

SHA512
d05db379d2e07e0cbab7ac03e2dc539b8e28299e5af4ffd402c680c6dbb12cd29c46a9f9d20dc4a02ee1900bf8ac08e47a93da7dfaf022119d4ea47aa5adc49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
94fa68bbf74308218c84ce10c10823b5

SHA1
23d88e65b36b92d3bcc00e902e5b50f9dab0ee0d

SHA256
ad9141b2ab57cfc15e771222ecd4573d223e9db376da4c7c047ad1b42fda3f19

SHA512
9d2c4eceb828cb62ca7bdc19aef5a09b4da9d51aa1132242aa4755bbb6abeba80a6346da312977612749a5b293ab3eca735219d420f3e4bf63f4f1c622e6106e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
18KB

MD5
f70aa754f9e7b17227a419984fdc6390

SHA1
cddbede6e9c0418bce0320522370e2d16b80469b

SHA256
7b42a3452782cdcfab21719956e759478d4a174faf70430801afba2dc072dcd8

SHA512
a6271eeb6dd979b79d74655542e42864cad90b66d4a2b3201dd43d09515fa47640aa2942ddaf509ce79eb4a698ea97f3f0e7514475ce38b1733096e7ce41b29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
10KB

MD5
b730b9361d9bc0fdf2f46b9a36fbe25f

SHA1
d1ac364b56ac1990663f501f8a54b76c849e250e

SHA256
e7844704deb274e8ed756f9eee4f9fa9c9f45c502d68a6dfbe3d478e4871654e

SHA512
aebbe3923ba28b5d4e336abff237bc711279afc95a00daaca4d15477766351f489ab5671fd60de87caaecb9c81c28b820cb277137e7d4a5e93c4b60887de0eb2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
16KB

MD5
dd22291d47ed083118d51b7527bc8c95

SHA1
babad2dd0379f1902085a1fa176b989baebfcb86

SHA256
9b79af29319a2d422f22297ec7efe119186ff07c46f64f560805c9bbba3c502d

SHA512
4d2e5d2e2aae8a02a1a6004ea80c17c65abddff466939a34cfb9fd363b3bd5a66d8e6f261134d49bda495b68ff8ac03c1b43e78a0cc05322f8f83b674254c0df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
7KB

MD5
b1612746f30a3a37fbc697c7d5b7e905

SHA1
29ea0d908637f638ec97e03586dd12a235a12b69

SHA256
12b03a0cd6f3e5e3d3f10a1f7621adce63c7aa32ebb4aa5d4535e37100ca6ea6

SHA512
7312685cba0c7c2e1f9a25721ba3df3cf3882456ccc24ff07de4a9a8d229c306228038cf076afe082b983dc0e2a78105616409ecf4a96776fc06dfa32d017c58

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
44KB

MD5
1cea4098c6e598905eaff15ca2ea2410

SHA1
f8bd34ce2d3bbf331d517e18ed2404b0328769aa

SHA256
02f43f1ac8e1fac471d772bd3b6a80b684493bbca3f2177891ae272442c05775

SHA512
0bdb78e4d7537925c4017f993feffdf842d9df536b8073dbb26e6bce7616f3a07cd0b0497bca17846fad185197cf3d491613e7decabe2cec692dee62fb263c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
20KB

MD5
fb2a9f8abb1a983c368e19904270f856

SHA1
a5cae1a7eaaa7eeb0a246c7beff8ed0dcaaa7d6c

SHA256
fb7dd25233ac83d52043e030654e1be42f413e811b21448faf9113024b603b44

SHA512
059eae0f89eea12bcdb011b57a6edc05a09fb25945a4fcdf2edc0b442057e92aa77924d902f52b4b49a786a622a19167f431c78ecefb9f309c2afe5afb312fd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
17KB

MD5
bafbe470c74888de685d88c63661fa5a

SHA1
2fe2a3d9a9d8bf7055547a57615b2eb9881bc9d8

SHA256
68c334c762475e8b3aa39e1e61341c5c1d13ae90dd87a7470fab4088bc96082d

SHA512
17f852ecedbddb168cfef659427678d65fba6935383108028216014c61436c00cb920b46f07ff8b2c371f0f8f509e1169d43666dfff85140488d247bdd28dcee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
6KB

MD5
07184787e0956b1b9938d81a1e0d26bf

SHA1
b0b0de1bd796eea6f233d1fe4d80d661825c9215

SHA256
18bae2336a2278d3dacd3e9b875a3cd95517c958e897cb4e2c234445c40f9f2a

SHA512
dbf7586901123d28cc4a3a6c1d5e2c2011323570f511bd839532d0103d1a75bb9a7bd15d1b1b2670e3d3a24040dfe92b7a8d2b3002516af12d0e769d368a6232

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
21KB

MD5
e3fe49f962688138c8583e08d7f6dd4c

SHA1
ae03d902ff44ed462709934c2ba33511d73e28fa

SHA256
f906ef8247e730d1b33be28aed54effe1f7f35d121cf6e45bafb08b492181966

SHA512
0dd610f43e715e6631ec188ce401a7ff34986f816def71a99d744b1e1c3f6a6e6cb2a33a97bba0b42c4e0a0582e6475c0a64b0decc8b3a2a8d05ef35f9a85c87

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
17KB

MD5
14bf034f14e3593f85f44eab9b2b5835

SHA1
b87da6e9f014de23a2da04853de56f32e5dc88b8

SHA256
4e04da4c1fa6f61d51c3cb561218271b4c9b81e1e3bd21a533c8730c8914aa49

SHA512
99f5b1e6c9f9ea26af95d303d26bdee6b06433786aa4e094d25ee374bf184b00cb149b50d27828714da6355281db90cd8e93d7f55076f8c377f9cf1f0416f9a7

Download Submit
memory/1212-71-0x0000000000000000-mapping.dmp

Download
memory/1212-76-0x00000000735B0000-0x0000000073B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1312-56-0x0000000000000000-mapping.dmp

Download
memory/1680-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download