njrat | 8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed

Analysis

max time kernel
1s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-06-2022 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe
Size

3.2MB
MD5

30fb03c95b0bab5bf680d8c08592ed46
SHA1

a3797aeb14ab3ac4f4215cca8f5dac6d9f61294b
SHA256

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed
SHA512

1567cc9902b40b9c9aa4607029e1022910129332c5a4869b005465b9fc0b444b457f918b1546393032f78e14ba5de867775bb361d629b2dcc01ba5e65f7a5387

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

127.0.0.1:1177

Mutex

212683d986fb740ad6a40184df48e604

Attributes

reg_key
212683d986fb740ad6a40184df48e604
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

CDS.exe

pid process

2804 CDS.exe
Loads dropped DLL 1 IoCs

Processes:

CDS.exe

pid process

2804 CDS.exe

pid	process
2804	CDS.exe

pid	process
2804	CDS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CDS.exe

pid process

2804 CDS.exe

pid	process
2804	CDS.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe

description	pid	process	target process
PID 2468 wrote to memory of 2804	2468	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe	CDS.exe
PID 2468 wrote to memory of 2804	2468	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe	CDS.exe
PID 2468 wrote to memory of 2804	2468	8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe	CDS.exe

C:\Users\Admin\AppData\Local\Temp\8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe
"C:\Users\Admin\AppData\Local\Temp\8f44910456cb859adea91b79b1c53008665ec6fae5bc4ba88bbf81edab0e7fed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
PID:436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x390
1⤵
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
41KB

MD5
a144b78846e4302c1e84214ed482c0b2

SHA1
80a57445c2ca7643d78b33d8f351af7e1ed0f98a

SHA256
6c44b4657fccf342f43a59ff6bcdc8d3095dc3d0aad65ca48d40a6d7568a657c

SHA512
557218151d107e7c439f984aa1144e40694f4b4370b733a3eead1bebea1814748abdfd0b01a0f66d616f6f0bf17ce0ce14fcfb523529c2b9fe59c0e454c4efcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
23KB

MD5
774bbe533ad94c9a175b7100e7aae46c

SHA1
784923ea35e9e12107f8e14785cad5627a19b6af

SHA256
050622378c0f9a6b71dcfba450ca50580f44993e3503b2a2118aa69f48c59710

SHA512
d5561f505c9803bd9e5d7b1d34b9bd70f47982122780569f0a6da3666bcfa86fada5b2bea786785b3e35c69f896182ca1893889c4b1078b8b5e1f8da1c2a99c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
23KB

MD5
01d4d4fd9d6b2e39046d98307e5b4ac6

SHA1
d052fb757798c3967fce8bc710bcaee866dfa34b

SHA256
6addc4c4578f794f22d0118c245dd4ecd3b8d9a057b031591a013e4b0bd37413

SHA512
500a2d4e01d35d291f3b22e6c9d31a6c49f725767d132b56492b664eee4826f692883da4a3bc7705a8c94270779e994bc7e1f612ae498ea338c64c4fcdc4972f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
23KB

MD5
94fa68bbf74308218c84ce10c10823b5

SHA1
23d88e65b36b92d3bcc00e902e5b50f9dab0ee0d

SHA256
ad9141b2ab57cfc15e771222ecd4573d223e9db376da4c7c047ad1b42fda3f19

SHA512
9d2c4eceb828cb62ca7bdc19aef5a09b4da9d51aa1132242aa4755bbb6abeba80a6346da312977612749a5b293ab3eca735219d420f3e4bf63f4f1c622e6106e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
21KB

MD5
e890b697e9d4f9907d00cd52e0cbbbd7

SHA1
49089a9a10fa13fe5f792836668a195a00033383

SHA256
3208c1faeace4111b60a70f5246d91f550183e6a9ca66cb5ec58ea2cf00d98aa

SHA512
277c476780e2b110bcf57c0e57c99d36e47150f9eca3e890c7d86a5cd93800e547c483d6e3e62e1d6b1ed716333ae1091da1ebca01123b8144714ade09aee8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
memory/436-139-0x0000000000000000-mapping.dmp

Download
memory/2804-130-0x0000000000000000-mapping.dmp

Download