njrat | df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10

General

Target

df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe
Size

29KB
MD5

977dbc36f17b3a6f4a0f4efb01391dd2
SHA1

e6a49e5405d3e94825920b84ace9bcb4b7c53731
SHA256

df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10
SHA512

6e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

yekihackers.ddns.net:2020

Mutex

ba4c12bee3027d94da5c81db2d196bfd

Attributes

reg_key
ba4c12bee3027d94da5c81db2d196bfd
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4060 svchost.exe

pid	process
4060	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe

description	pid	process	target process
PID 4648 wrote to memory of 4060	4648	df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe	svchost.exe
PID 4648 wrote to memory of 4060	4648	df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe	svchost.exe
PID 4648 wrote to memory of 4060	4648	df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe
"C:\Users\Admin\AppData\Local\Temp\df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
29KB

MD5
977dbc36f17b3a6f4a0f4efb01391dd2

SHA1
e6a49e5405d3e94825920b84ace9bcb4b7c53731

SHA256
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10

SHA512
6e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
29KB

MD5
977dbc36f17b3a6f4a0f4efb01391dd2

SHA1
e6a49e5405d3e94825920b84ace9bcb4b7c53731

SHA256
df949161b20c6917699483f28fba2b545ab30ea5456275a3cce6cd19e921fd10

SHA512
6e94acc93b633585207ed90a9d91256712cc677b67c85ad5bbbd6aa55b3832d246553f39022d50bdad024f95bce1b79bba3c4eb84111df2ef5103e4e760a1549

Download Submit
memory/4060-132-0x0000000000000000-mapping.dmp

Download
memory/4060-135-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4648-130-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4648-131-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/4648-136-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing