njrat | 9bb347dce075e62a7df2121b6f413769b564e0b58d4302a2372bedeac6a2880b

General

Target

9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
Size

13.2MB
MD5

c00c09e7fa52bc19bd425d71e78ff4cb
SHA1

2cd1a7130a03d4056454733b62e4667a08451262
SHA256

9bb347dce075e62a7df2121b6f413769b564e0b58d4302a2372bedeac6a2880b
SHA512

8d18238fe7c906ddd155b8af3a0d32604aeafaf352ab1947a07f273168740c5971083b157c7e21b74125a7e42d8684db5daba2cb3bc4971ca92f20949828a9d5

Score

10^/10

njrat system persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

System

C2

2.tcp.ngrok.io:13817

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 3 IoCs

Processes:

paylod.exeremcos.exeSystem.exe

pid process

3136 paylod.exe
4916 remcos.exe
3200 System.exe

pid	process
3136	paylod.exe
4916	remcos.exe
3200	System.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exepaylod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	paylod.exe

Drops startup file 2 IoCs

Processes:

System.exepaylod.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	System.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System.exepaylod.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\System.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

remcos.exe

pid process

4916 remcos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

remcos.exe

pid process

4916 remcos.exe
4916 remcos.exe
4916 remcos.exe
4916 remcos.exe

pid	process
4916	remcos.exe

pid	process
4916	remcos.exe
4916	remcos.exe
4916	remcos.exe
4916	remcos.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

System.exe

description	pid	process
Token: SeDebugPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe
Token: 33	3200	System.exe
Token: SeIncBasePriorityPrivilege	3200	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

4916 remcos.exe

pid	process
4916	remcos.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exepaylod.exe

description	pid	process	target process
PID 752 wrote to memory of 3136	752	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	paylod.exe
PID 752 wrote to memory of 3136	752	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	paylod.exe
PID 752 wrote to memory of 3136	752	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	paylod.exe
PID 752 wrote to memory of 4916	752	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	remcos.exe
PID 752 wrote to memory of 4916	752	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	remcos.exe
PID 752 wrote to memory of 4916	752	9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe	remcos.exe
PID 3136 wrote to memory of 3200	3136	paylod.exe	System.exe
PID 3136 wrote to memory of 3200	3136	paylod.exe	System.exe
PID 3136 wrote to memory of 3200	3136	paylod.exe	System.exe
PID 3136 wrote to memory of 3992	3136	paylod.exe	attrib.exe
PID 3136 wrote to memory of 3992	3136	paylod.exe	attrib.exe
PID 3136 wrote to memory of 3992	3136	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3992 attrib.exe

pid	process
3992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe
"C:\Users\Admin\AppData\Local\Temp\9BB347DCE075E62A7DF2121B6F413769B564E0B58D430.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3136

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\ProgramData\System.exe"
3⤵
- Views/modifies file attributes
PID:3992

C:\Users\Admin\AppData\Local\Temp\remcos.exe
"C:\Users\Admin\AppData\Local\Temp\remcos.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos.exe
Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos.exe
Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
410ae6573a57f8905a61a761ba8a4bf7

SHA1
05f7ac4fbb3b28620c2d1e3bdf720dfc0dfc49c9

SHA256
e42e80a74d27dc83abfba9279eec985235c2c38635fb581eff53920868bdb1fc

SHA512
3051abccb8d94dfb95a16a8f935463a8a320a55d854f5482a124e64768d0dfee01e23cb7401a9f15063219a015101263cc738e8b72122f7256b2d1cfb9030438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
88186e2545bd518b1e115b85887ae39f

SHA1
1251bf62f316af94da94c16b37fc7fa03c3c212d

SHA256
b80c05ac61f81322b55b0b4519042a0c5b160a076ead78b43d59d28386314c6d

SHA512
11ab6eef239e777ed25fdd8b919e25faf24049aac23c3fd3cc1bb04de095d4204897eab3cc603144bbf23866a93ec407ee74827abf098ca819ce8f4e57121974

Download Submit
memory/752-136-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/752-130-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3136-138-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3136-131-0x0000000000000000-mapping.dmp

Download
memory/3136-147-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-152-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-150-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-143-0x0000000000000000-mapping.dmp

Download
memory/3992-145-0x0000000000000000-mapping.dmp

Download
memory/4916-139-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/4916-134-0x0000000000000000-mapping.dmp

Download
memory/4916-142-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/4916-151-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/4916-141-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads