njrat | bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d

General

Target

0030834bf67509153237ac832bc68649.exe
Size

351KB
MD5

0030834bf67509153237ac832bc68649
SHA1

1e4802307ae8e4a8c75bb384762f4cd6db676884
SHA256

bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d
SHA512

9a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

easralahtane.ddns.net:3973

Mutex

de691f5a23326e1eca32cf33144b3175

Attributes

reg_key
de691f5a23326e1eca32cf33144b3175
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

taskhost .exe

pid process

956 taskhost .exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

908 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

0030834bf67509153237ac832bc68649.exe

pid process

1452 0030834bf67509153237ac832bc68649.exe

pid	process
956	taskhost .exe

pid	process
908	netsh.exe

pid	process
1452	0030834bf67509153237ac832bc68649.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhost .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\de691f5a23326e1eca32cf33144b3175 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskhost .exe\" .."	taskhost .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\de691f5a23326e1eca32cf33144b3175 = "\"C:\\Users\\Admin\\AppData\\Roaming\\taskhost .exe\" .."	taskhost .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 6 IoCs

Processes:

0030834bf67509153237ac832bc68649.exetaskhost .exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}	0030834bf67509153237ac832bc68649.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID	0030834bf67509153237ac832bc68649.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "52B1oNhfHYAr31mj+XEMmluPWM0G3HVdnXXdJYHQjNByRJVsg5DkIHwNvDxJMIWDNDxpKbWLdlh4LZQNaZ+Ukk5bPy2gLMeZ9uFXJxrrtDEaZB7T+VGlkRmubNheyvLjsr+Gpi8BTKNdObihHuGo0WizduLcKZljhgzJWM8kwwA="	0030834bf67509153237ac832bc68649.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "2MUECT+A4VaCN8hFQ2EVWTKh40Z2uogrzU8p9+tVD/y6XrFyDlBoxDJJLVXgXPZCjYYRokgeU+SuyTI2FXSaeXsb3QsrRN3QmgCeup8lRwJaQfiI6GMB4v6PXZwYRskRF1lVNQcw/8Q7wsjJ2yCUhxMyr+ccoBqc9zvzPAP/aec="	taskhost .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "xjniDDbwKpwg3C4Z31/ndYQujHTnDwYir6+Rn/Sy8n4ArgejzhPUgCcMNKpZOa3dI7iv97cpyW/pnfYiKGmmkj5mu33LX3ZkQdkcvnD59ui1AQr/yZYF1qmh5QJqhqhWCdqm9H+Jie2nU1jhynQuYHxkZUXMLxXAL2MnyuSptM4="	taskhost .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{47004F00-6500-4F00-5000-33006F005800}\1 = "eI0S7KcWSdMgqzwh30JHioUKGAvdiDRNPEiK86AGN1yLHAuvcaTUITZ3s0eUytuL/u/HIvr4KbjP/10zqMeuj0buJes8eIKr/wI1xoZmQ0e5m/JL2ZN3hci7pTYUaZ1oEIsAQn46FCXbCKU6HPu18BGpdXp7+RfX9Opw4/RgQpU="	taskhost .exe

NTFS ADS 3 IoCs

Processes:

0030834bf67509153237ac832bc68649.exetaskhost .exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp:{6B003300-6A00-3100-3600-510068003300}	0030834bf67509153237ac832bc68649.exe
File created	C:\Users\Admin\AppData\Roaming:{6B003300-6A00-3100-3600-510068003300}	taskhost .exe
File opened for modification	C:\Users\Admin\AppData\Roaming:{6B003300-6A00-3100-3600-510068003300}	taskhost .exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0030834bf67509153237ac832bc68649.exetaskhost .exe

pid process

1452 0030834bf67509153237ac832bc68649.exe
1452 0030834bf67509153237ac832bc68649.exe
956 taskhost .exe
956 taskhost .exe

pid	process
1452	0030834bf67509153237ac832bc68649.exe
1452	0030834bf67509153237ac832bc68649.exe
956	taskhost .exe
956	taskhost .exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

0030834bf67509153237ac832bc68649.exetaskhost .exe

description	pid	process
Token: SeDebugPrivilege	1452	0030834bf67509153237ac832bc68649.exe
Token: SeDebugPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe
Token: 33	956	taskhost .exe
Token: SeIncBasePriorityPrivilege	956	taskhost .exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0030834bf67509153237ac832bc68649.exetaskhost .exe

description	pid	process	target process
PID 1452 wrote to memory of 956	1452	0030834bf67509153237ac832bc68649.exe	taskhost .exe
PID 1452 wrote to memory of 956	1452	0030834bf67509153237ac832bc68649.exe	taskhost .exe
PID 1452 wrote to memory of 956	1452	0030834bf67509153237ac832bc68649.exe	taskhost .exe
PID 1452 wrote to memory of 956	1452	0030834bf67509153237ac832bc68649.exe	taskhost .exe
PID 956 wrote to memory of 908	956	taskhost .exe	netsh.exe
PID 956 wrote to memory of 908	956	taskhost .exe	netsh.exe
PID 956 wrote to memory of 908	956	taskhost .exe	netsh.exe
PID 956 wrote to memory of 908	956	taskhost .exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0030834bf67509153237ac832bc68649.exe
"C:\Users\Admin\AppData\Local\Temp\0030834bf67509153237ac832bc68649.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Roaming\taskhost .exe
"C:\Users\Admin\AppData\Roaming\taskhost .exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\taskhost .exe" "taskhost .exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Isolated Storage\{6B003300-6A00-3100-3600-510068003300}
Filesize
344B

MD5
b7dc3d4d2458b0ac328d4923926acf7c

SHA1
5502eecb50b242c473c77967ce897c30bd2b8d10

SHA256
6ad38d320a4229d62ad4931ff0eede30714ba77d9f0d9e775c9477438ea7f584

SHA512
228844c25aa3a485c0f24fd9f00b0e956b81b3bdf4bca0ed56993b6bb91dccd2f1cfe616c44d564459b2e13bc64d395809e977248ddb34e66452511a80b964d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost .exe
Filesize
351KB

MD5
0030834bf67509153237ac832bc68649

SHA1
1e4802307ae8e4a8c75bb384762f4cd6db676884

SHA256
bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d

SHA512
9a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost .exe
Filesize
351KB

MD5
0030834bf67509153237ac832bc68649

SHA1
1e4802307ae8e4a8c75bb384762f4cd6db676884

SHA256
bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d

SHA512
9a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d

Download Submit
\Users\Admin\AppData\Roaming\taskhost .exe
Filesize
351KB

MD5
0030834bf67509153237ac832bc68649

SHA1
1e4802307ae8e4a8c75bb384762f4cd6db676884

SHA256
bda545a064501623ed0031faafaad588e31bdae02dd945413873f21ecb7fd96d

SHA512
9a26f24a53c929c470e87469dac4ead2064524d0f85e4ea0424695b2f7e6a200256886093ed1190373281498915aecad94d74e90302444c42bc92c876e85e50d

Download Submit
memory/908-68-0x0000000000000000-mapping.dmp

Download
memory/956-64-0x00000000000A0000-0x00000000000FE000-memory.dmp

Filesize
376KB

Download
memory/956-70-0x0000000004CC5000-0x0000000004CD6000-memory.dmp

Filesize
68KB

Download
memory/956-67-0x0000000004CC5000-0x0000000004CD6000-memory.dmp

Filesize
68KB

Download
memory/956-59-0x0000000000000000-mapping.dmp

Download
memory/1452-57-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/1452-63-0x0000000000CC5000-0x0000000000CD6000-memory.dmp

Filesize
68KB

Download
memory/1452-54-0x0000000001170000-0x00000000011CE000-memory.dmp

Filesize
376KB

Download
memory/1452-56-0x0000000000CC5000-0x0000000000CD6000-memory.dmp

Filesize
68KB

Download
memory/1452-55-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads