njrat | d47f6b63f0442a8a7aa10503401180fd337fbdd5ec7388f1505cce1d39a36638

General

Target

13b80a5b971d1c6fe4a37234dff4d1d5.exe
Size

274KB
MD5

13b80a5b971d1c6fe4a37234dff4d1d5
SHA1

99c3dff0b01aa403bacc058b552ac597702ab366
SHA256

d47f6b63f0442a8a7aa10503401180fd337fbdd5ec7388f1505cce1d39a36638
SHA512

8a0508411681cdaee2e134b669ebcb73e71fbd49ef2baba456cce1d58376bf8fd173c174850db30983e424f9960b9d893ea478e0ea88766fc4a6ab48cc599625

Score

10^/10

njrat redline cheat hacked discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

172.93.144.171:50831

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

172.93.231.202:5552

Mutex

dd7d6bc98a38de1b5ca51955ad0f1fec

Attributes

reg_key
dd7d6bc98a38de1b5ca51955ad0f1fec
splitter
|'|'|

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1.exe	family_redline
C:\Users\Admin\AppData\Roaming\1.exe	family_redline
behavioral2/memory/2720-145-0x0000000000100000-0x000000000011E000-memory.dmp	family_redline

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 3 IoCs

Processes:

1.exeServer.exeNumify v2.0.exe

pid process

2720 1.exe
2716 Server.exe
2344 Numify v2.0.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2848 netsh.exe

pid	process
2720	1.exe
2716	Server.exe
2344	Numify v2.0.exe

pid	process
2848	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13b80a5b971d1c6fe4a37234dff4d1d5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	13b80a5b971d1c6fe4a37234dff4d1d5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd7d6bc98a38de1b5ca51955ad0f1fec = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dd7d6bc98a38de1b5ca51955ad0f1fec = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .."	Server.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4248 2344 WerFault.exe Numify v2.0.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

2720 1.exe
2720 1.exe

pid	pid_target	process	target process
4248	2344	WerFault.exe	Numify v2.0.exe

pid	process
2720	1.exe
2720	1.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

AUDIODG.EXE1.exeServer.exe

description	pid	process
Token: 33	5096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5096	AUDIODG.EXE
Token: SeDebugPrivilege	2720	1.exe
Token: SeDebugPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe
Token: 33	2716	Server.exe
Token: SeIncBasePriorityPrivilege	2716	Server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

13b80a5b971d1c6fe4a37234dff4d1d5.exeServer.exe

description	pid	process	target process
PID 4472 wrote to memory of 2720	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	1.exe
PID 4472 wrote to memory of 2720	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	1.exe
PID 4472 wrote to memory of 2720	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	1.exe
PID 4472 wrote to memory of 2716	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	Server.exe
PID 4472 wrote to memory of 2716	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	Server.exe
PID 4472 wrote to memory of 2716	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	Server.exe
PID 4472 wrote to memory of 2344	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	Numify v2.0.exe
PID 4472 wrote to memory of 2344	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	Numify v2.0.exe
PID 4472 wrote to memory of 2344	4472	13b80a5b971d1c6fe4a37234dff4d1d5.exe	Numify v2.0.exe
PID 2716 wrote to memory of 2848	2716	Server.exe	netsh.exe
PID 2716 wrote to memory of 2848	2716	Server.exe	netsh.exe
PID 2716 wrote to memory of 2848	2716	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\13b80a5b971d1c6fe4a37234dff4d1d5.exe
"C:\Users\Admin\AppData\Local\Temp\13b80a5b971d1c6fe4a37234dff4d1d5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2848

C:\Users\Admin\AppData\Roaming\Numify v2.0.exe
"C:\Users\Admin\AppData\Roaming\Numify v2.0.exe"
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 904
3⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2344 -ip 2344
1⤵
PID:5088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x30c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.exe
Filesize
95KB

MD5
ccf820a2ee76cc79c17cac85fa4428f0

SHA1
c5ff7ee0d5108f716cb6b7b65d2ca2af89cba30a

SHA256
51069bf54448fc28f346df8d97234087d4b3d37f844dc9f814d19d201335f6b0

SHA512
bf2ab49162087e0c9de54a91874e05f63bf148f39818578fffebfc40aeef396bf947b9689ad9011499746fb3a94813ff5fa2cfea27d3ac775028dc9074cdfa97

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
95KB

MD5
ccf820a2ee76cc79c17cac85fa4428f0

SHA1
c5ff7ee0d5108f716cb6b7b65d2ca2af89cba30a

SHA256
51069bf54448fc28f346df8d97234087d4b3d37f844dc9f814d19d201335f6b0

SHA512
bf2ab49162087e0c9de54a91874e05f63bf148f39818578fffebfc40aeef396bf947b9689ad9011499746fb3a94813ff5fa2cfea27d3ac775028dc9074cdfa97

Download Submit
C:\Users\Admin\AppData\Roaming\Numify v2.0.exe
Filesize
76KB

MD5
d06e55b0be32a71ee7266c9a9a50af55

SHA1
6ca0597232b4bb8f77646cb031716011ba1ccb48

SHA256
6d8b7dc3a54f0e4af610bcc7eb838e975eb15fe0c4f925c99776b16813cc2be8

SHA512
8049b083815ffb99a9e8aee8614b65c1a1ae96d3fbde59c4ff6d0c3d29e32c2c430d1548d2bd3918d14069e833ef475d777f80f220777b499a48acde64c1a3f6

Download Submit
C:\Users\Admin\AppData\Roaming\Numify v2.0.exe
Filesize
76KB

MD5
d06e55b0be32a71ee7266c9a9a50af55

SHA1
6ca0597232b4bb8f77646cb031716011ba1ccb48

SHA256
6d8b7dc3a54f0e4af610bcc7eb838e975eb15fe0c4f925c99776b16813cc2be8

SHA512
8049b083815ffb99a9e8aee8614b65c1a1ae96d3fbde59c4ff6d0c3d29e32c2c430d1548d2bd3918d14069e833ef475d777f80f220777b499a48acde64c1a3f6

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
23KB

MD5
125473bb19de33511417de332bb82850

SHA1
d0e8a425a402944ae64c4a34fb5fab4bed0b752a

SHA256
372565d528d4613208919f935d09f1c5bf5a5e9b803b16ffd6bb3d19fd415f70

SHA512
1b96082cd5b2560ef63812d2572f7fe7e6b575641e5e6e91f4e6300557147976e19c7e775a8f0e781da834c77c94d5f43a3a7e5c687715289f33be534544b84c

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
23KB

MD5
125473bb19de33511417de332bb82850

SHA1
d0e8a425a402944ae64c4a34fb5fab4bed0b752a

SHA256
372565d528d4613208919f935d09f1c5bf5a5e9b803b16ffd6bb3d19fd415f70

SHA512
1b96082cd5b2560ef63812d2572f7fe7e6b575641e5e6e91f4e6300557147976e19c7e775a8f0e781da834c77c94d5f43a3a7e5c687715289f33be534544b84c

Download Submit
memory/2344-144-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download
memory/2344-139-0x0000000000000000-mapping.dmp

Download
memory/2344-149-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/2716-152-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2716-135-0x0000000000000000-mapping.dmp

Download
memory/2716-141-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/2720-145-0x0000000000100000-0x000000000011E000-memory.dmp

Filesize
120KB

Download
memory/2720-151-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/2720-146-0x0000000005170000-0x0000000005788000-memory.dmp

Filesize
6.1MB

Download
memory/2720-147-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/2720-148-0x0000000004AD0000-0x0000000004B0C000-memory.dmp

Filesize
240KB

Download
memory/2720-158-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/2720-157-0x00000000066A0000-0x0000000006716000-memory.dmp

Filesize
472KB

Download
memory/2720-156-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/2720-133-0x0000000000000000-mapping.dmp

Download
memory/2720-153-0x0000000006070000-0x0000000006232000-memory.dmp

Filesize
1.8MB

Download
memory/2720-154-0x0000000006770000-0x0000000006C9C000-memory.dmp

Filesize
5.2MB

Download
memory/2720-155-0x0000000007250000-0x00000000077F4000-memory.dmp

Filesize
5.6MB

Download
memory/2848-150-0x0000000000000000-mapping.dmp

Download
memory/4472-132-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/4472-143-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads