njrat | b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b

General

Target

b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe
Size

93KB
MD5

3ba6a42a36a167bde629b4e8dcc8ff95
SHA1

b49aa395634d434a84a264d50037a17281e2a9f4
SHA256

b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b
SHA512

59776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOTI3LjAuFRANSESCOC4x:MTYwNA==

Mutex

6e03cdb684215a5d1cd8a13afcd46ec0

Attributes

reg_key
6e03cdb684215a5d1cd8a13afcd46ec0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

988 server.exe
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1760 netsh.exe
1196 netsh.exe
1880 netsh.exe

pid	process
1760	netsh.exe
1196	netsh.exe
1880	netsh.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e03cdb684215a5d1cd8a13afcd46ec0Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e03cdb684215a5d1cd8a13afcd46ec0Windows Update.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe

pid	process
1112	b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe
1112	b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe
988	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

988 server.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	988	server.exe
Token: 33	988	server.exe
Token: SeIncBasePriorityPrivilege	988	server.exe
Token: 33	988	server.exe
Token: SeIncBasePriorityPrivilege	988	server.exe
Token: 33	988	server.exe
Token: SeIncBasePriorityPrivilege	988	server.exe
Token: 33	988	server.exe
Token: SeIncBasePriorityPrivilege	988	server.exe
Token: 33	988	server.exe
Token: SeIncBasePriorityPrivilege	988	server.exe
Token: 33	988	server.exe
Token: SeIncBasePriorityPrivilege	988	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exeserver.exe

description	pid	process	target process
PID 1112 wrote to memory of 988	1112	b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe	server.exe
PID 1112 wrote to memory of 988	1112	b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe	server.exe
PID 1112 wrote to memory of 988	1112	b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe	server.exe
PID 1112 wrote to memory of 988	1112	b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe	server.exe
PID 988 wrote to memory of 1760	988	server.exe	netsh.exe
PID 988 wrote to memory of 1760	988	server.exe	netsh.exe
PID 988 wrote to memory of 1760	988	server.exe	netsh.exe
PID 988 wrote to memory of 1760	988	server.exe	netsh.exe
PID 988 wrote to memory of 1880	988	server.exe	netsh.exe
PID 988 wrote to memory of 1880	988	server.exe	netsh.exe
PID 988 wrote to memory of 1880	988	server.exe	netsh.exe
PID 988 wrote to memory of 1880	988	server.exe	netsh.exe
PID 988 wrote to memory of 1196	988	server.exe	netsh.exe
PID 988 wrote to memory of 1196	988	server.exe	netsh.exe
PID 988 wrote to memory of 1196	988	server.exe	netsh.exe
PID 988 wrote to memory of 1196	988	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe
"C:\Users\Admin\AppData\Local\Temp\b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1760

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1196

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Modifies Windows Firewall
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
3ba6a42a36a167bde629b4e8dcc8ff95

SHA1
b49aa395634d434a84a264d50037a17281e2a9f4

SHA256
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b

SHA512
59776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
3ba6a42a36a167bde629b4e8dcc8ff95

SHA1
b49aa395634d434a84a264d50037a17281e2a9f4

SHA256
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b

SHA512
59776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
850ad04adc35f6ec7809f0f70de8300c

SHA1
06387beffabdf4ea012664a1d2693862a5e5a181

SHA256
59f6eeca3c022531b409b0dc1ea7c1d244ecc7af5b67a5600470b59cdbc04abe

SHA512
fca8d80dcdc3a14a04e5ae665dfae9c7b915d4b52b6a24b271d4ad67d9c72c2485815dcb097721d952458857eda8c0edac23f997486a3a1936693b1a5bb35532

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
3ba6a42a36a167bde629b4e8dcc8ff95

SHA1
b49aa395634d434a84a264d50037a17281e2a9f4

SHA256
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b

SHA512
59776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
3ba6a42a36a167bde629b4e8dcc8ff95

SHA1
b49aa395634d434a84a264d50037a17281e2a9f4

SHA256
b964a66b64e28d8af593c38e39c2aec483d687593ebe64a04aecc5326f34b31b

SHA512
59776c41762279b98737521b59d2c5ef8c4d3384465c061c1b041c5675ba6af0ac6f00e548d69a021a34bd903d5131e7971051b1ef34f6f3f071832767bf8503

Download Submit
memory/988-59-0x0000000000000000-mapping.dmp

Download
memory/988-65-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/988-67-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-55-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-64-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-69-0x0000000000000000-mapping.dmp

Download
memory/1760-66-0x0000000000000000-mapping.dmp

Download
memory/1880-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads