njrat | 47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d

General

Target

47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe
Size

2.5MB
MD5

27d06d38b1f8e37b47d23c9efd8e25c9
SHA1

b8bdf3ab19c109deb5509f45132686b671fb9552
SHA256

47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d
SHA512

c8afe02e5ce73b371b09d663189248c1c13395f0b3b1bd92c826223193f304ca1a8d1047bd87e289805ac20c10c9443b04688e8d8699bbf503c5d7f5935a8c85

Score

10^/10

njrat steamcompany12bit evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SteamCompany12bit

C2

192.168.1.183:4444

Mutex

760207cdf3aa547d353591aefcf32cc3

Attributes

reg_key
760207cdf3aa547d353591aefcf32cc3
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

S.exe

pid process

900 S.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

996 netsh.exe

pid	process
900	S.exe

pid	process
996	netsh.exe

Drops startup file 2 IoCs

Processes:

S.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\760207cdf3aa547d353591aefcf32cc3.exe	S.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\760207cdf3aa547d353591aefcf32cc3.exe	S.exe

Loads dropped DLL 1 IoCs

Processes:

47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe

pid process

1408 47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe

pid	process
1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

S.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\760207cdf3aa547d353591aefcf32cc3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\S.exe\" .."	S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\760207cdf3aa547d353591aefcf32cc3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\S.exe\" .."	S.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1996 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1996 vlc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

AUDIODG.EXEvlc.exeS.exe

description	pid	process
Token: 33	1796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1796	AUDIODG.EXE
Token: 33	1796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1796	AUDIODG.EXE
Token: 33	1996	vlc.exe
Token: SeIncBasePriorityPrivilege	1996	vlc.exe
Token: SeDebugPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe
Token: 33	900	S.exe
Token: SeIncBasePriorityPrivilege	900	S.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

vlc.exe

pid	process
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

1996 vlc.exe
1996 vlc.exe
1996 vlc.exe
1996 vlc.exe
1996 vlc.exe
1996 vlc.exe
1996 vlc.exe
1996 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1996 vlc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exeS.exe

description	pid	process	target process
PID 1408 wrote to memory of 900	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	S.exe
PID 1408 wrote to memory of 900	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	S.exe
PID 1408 wrote to memory of 900	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	S.exe
PID 1408 wrote to memory of 900	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	S.exe
PID 1408 wrote to memory of 1996	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	vlc.exe
PID 1408 wrote to memory of 1996	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	vlc.exe
PID 1408 wrote to memory of 1996	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	vlc.exe
PID 1408 wrote to memory of 1996	1408	47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe	vlc.exe
PID 900 wrote to memory of 996	900	S.exe	netsh.exe
PID 900 wrote to memory of 996	900	S.exe	netsh.exe
PID 900 wrote to memory of 996	900	S.exe	netsh.exe
PID 900 wrote to memory of 996	900	S.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe
"C:\Users\Admin\AppData\Local\Temp\47c6ed7fb2afbadd95212c4dcbb7bd8815c47b218e45c78e8b8589ca93df797d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\S.exe
"C:\Users\Admin\AppData\Local\Temp\S.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\S.exe" "S.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:996

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\2019-08-08 16-45-13.mp4"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2019-08-08 16-45-13.mp4
Filesize
2.5MB

MD5
2019a19bff2503e95fbc0c56ba275355

SHA1
b52c1aa2f3aad7c36d91e806801af8cbae5ff93d

SHA256
93d3b795c295d2b5839cbc46814315b688be12df13ee0fb4d6dfe4ecdc900d11

SHA512
9b116d68799621b64df45a2eb96d0f286bc4463f424e3eba8f4b03337ea466d70bf94f9d3d313d1a624c85eff5afa9f95b48fac231cfa6164911855e3c46fee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\S.exe
Filesize
31KB

MD5
a5834960773eafc790b7c12f10f4f4f8

SHA1
7499831a72eb690c753fd849d22aa2bc81f58a1f

SHA256
63f21e248f2946030353157e16dc9810827539d74a46b88f9750c5c59a37a00f

SHA512
2d2ff3e4e85473f745fb82d0a931fb770584859a7eee125789d72921ccf202884b9a50fd0b8d0cfe722fad243f7fdf5b95289287d10f5119edd4c0d8dd9414ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\S.exe
Filesize
31KB

MD5
a5834960773eafc790b7c12f10f4f4f8

SHA1
7499831a72eb690c753fd849d22aa2bc81f58a1f

SHA256
63f21e248f2946030353157e16dc9810827539d74a46b88f9750c5c59a37a00f

SHA512
2d2ff3e4e85473f745fb82d0a931fb770584859a7eee125789d72921ccf202884b9a50fd0b8d0cfe722fad243f7fdf5b95289287d10f5119edd4c0d8dd9414ac

Download Submit
\Users\Admin\AppData\Local\Temp\S.exe
Filesize
31KB

MD5
a5834960773eafc790b7c12f10f4f4f8

SHA1
7499831a72eb690c753fd849d22aa2bc81f58a1f

SHA256
63f21e248f2946030353157e16dc9810827539d74a46b88f9750c5c59a37a00f

SHA512
2d2ff3e4e85473f745fb82d0a931fb770584859a7eee125789d72921ccf202884b9a50fd0b8d0cfe722fad243f7fdf5b95289287d10f5119edd4c0d8dd9414ac

Download Submit
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/900-63-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/900-65-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/996-64-0x0000000000000000-mapping.dmp

Download
memory/1408-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1996-59-0x0000000000000000-mapping.dmp

Download
memory/1996-61-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads