njrat | 63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273

General

Target

63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe
Size

31KB
MD5

be66486e94874c679f64129b03d24d49
SHA1

8b123a37aa84be63c5c2dc7edde082c546a74447
SHA256

63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273
SHA512

854c19cf9b3bf831a258c031f11cea0cdda93f3f98930f52f3c2e4f52ebfa6221a5589c3e819502c0a830331d2c5156ca68be71902c5c14f4a006bb34e13222f

Score

10^/10

njrat mybot trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

37.192.18.134:5552

Mutex

e5b67957d32e942db213593a7a20d4bc

Attributes

reg_key
e5b67957d32e942db213593a7a20d4bc
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1824 AcroRd32.exe
1824 AcroRd32.exe
1824 AcroRd32.exe

pid	process
1824	AcroRd32.exe
1824	AcroRd32.exe
1824	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exerundll32.exe

description	pid	process	target process
PID 1296 wrote to memory of 1692	1296	63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe	rundll32.exe
PID 1296 wrote to memory of 1692	1296	63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe	rundll32.exe
PID 1296 wrote to memory of 1692	1296	63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe	rundll32.exe
PID 1296 wrote to memory of 1692	1296	63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe	rundll32.exe
PID 1296 wrote to memory of 1692	1296	63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe	rundll32.exe
PID 1296 wrote to memory of 1692	1296	63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe	rundll32.exe
PID 1296 wrote to memory of 1692	1296	63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe	rundll32.exe
PID 1692 wrote to memory of 1824	1692	rundll32.exe	AcroRd32.exe
PID 1692 wrote to memory of 1824	1692	rundll32.exe	AcroRd32.exe
PID 1692 wrote to memory of 1824	1692	rundll32.exe	AcroRd32.exe
PID 1692 wrote to memory of 1824	1692	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe
"C:\Users\Admin\AppData\Local\Temp\63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Proga
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Proga"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1824

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Proga
Filesize
31KB

MD5
be66486e94874c679f64129b03d24d49

SHA1
8b123a37aa84be63c5c2dc7edde082c546a74447

SHA256
63027d093681f243f42cf00064dc5952bd3d8f2ed3d26a48f5d057a612c92273

SHA512
854c19cf9b3bf831a258c031f11cea0cdda93f3f98930f52f3c2e4f52ebfa6221a5589c3e819502c0a830331d2c5156ca68be71902c5c14f4a006bb34e13222f

Download Submit
memory/1296-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1296-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1296-57-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-56-0x0000000000000000-mapping.dmp

Download
memory/1824-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing