njrat | 481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739

General

Target

481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe
Size

29KB
MD5

761931aa493ef696ab7a6114f5838279
SHA1

8930277e98496bc512f7f87f6b67cb90b693fc8b
SHA256

481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739
SHA512

d14742ec7bfb936396e4538821fd0df9a405939392f263e58ef669ee72f9288ae244e0ee37a00a814ba590385b320c085243fcaa5344f8c2608393d87937577f

Score

10^/10

njrat love evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

love

C2

hostmorning.no-ip.biz:1177

Mutex

a0ae746fbab3868c8ea432a9f04c7d16

Attributes

reg_key
a0ae746fbab3868c8ea432a9f04c7d16
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

idn.exe

pid process

1568 idn.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1532 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe

pid process

1980 481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe

pid	process
1532	netsh.exe

pid	process
1980	481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

idn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\a0ae746fbab3868c8ea432a9f04c7d16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\idn.exe\" .."	idn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a0ae746fbab3868c8ea432a9f04c7d16 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\idn.exe\" .."	idn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

idn.exe

pid	process
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe
1568	idn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

idn.exe

description pid process

Token: SeDebugPrivilege 1568 idn.exe

description	pid	process
Token: SeDebugPrivilege	1568	idn.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exeidn.exe

description	pid	process	target process
PID 1980 wrote to memory of 1568	1980	481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe	idn.exe
PID 1980 wrote to memory of 1568	1980	481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe	idn.exe
PID 1980 wrote to memory of 1568	1980	481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe	idn.exe
PID 1980 wrote to memory of 1568	1980	481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe	idn.exe
PID 1568 wrote to memory of 1532	1568	idn.exe	netsh.exe
PID 1568 wrote to memory of 1532	1568	idn.exe	netsh.exe
PID 1568 wrote to memory of 1532	1568	idn.exe	netsh.exe
PID 1568 wrote to memory of 1532	1568	idn.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe
"C:\Users\Admin\AppData\Local\Temp\481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\idn.exe
"C:\Users\Admin\AppData\Local\Temp\idn.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\idn.exe" "idn.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\idn.exe
Filesize
29KB

MD5
761931aa493ef696ab7a6114f5838279

SHA1
8930277e98496bc512f7f87f6b67cb90b693fc8b

SHA256
481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739

SHA512
d14742ec7bfb936396e4538821fd0df9a405939392f263e58ef669ee72f9288ae244e0ee37a00a814ba590385b320c085243fcaa5344f8c2608393d87937577f

Download Submit
C:\Users\Admin\AppData\Local\Temp\idn.exe
Filesize
29KB

MD5
761931aa493ef696ab7a6114f5838279

SHA1
8930277e98496bc512f7f87f6b67cb90b693fc8b

SHA256
481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739

SHA512
d14742ec7bfb936396e4538821fd0df9a405939392f263e58ef669ee72f9288ae244e0ee37a00a814ba590385b320c085243fcaa5344f8c2608393d87937577f

Download Submit
\Users\Admin\AppData\Local\Temp\idn.exe
Filesize
29KB

MD5
761931aa493ef696ab7a6114f5838279

SHA1
8930277e98496bc512f7f87f6b67cb90b693fc8b

SHA256
481744d8559043a22a7a164cad83799725f289b5a4bdfbf6a267df31a758c739

SHA512
d14742ec7bfb936396e4538821fd0df9a405939392f263e58ef669ee72f9288ae244e0ee37a00a814ba590385b320c085243fcaa5344f8c2608393d87937577f

Download Submit
memory/1532-61-0x0000000000000000-mapping.dmp

Download
memory/1568-56-0x0000000000000000-mapping.dmp

Download
memory/1568-62-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-64-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-54-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download
memory/1980-60-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads