njrat | b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa

General

Target

ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
Size

318KB
MD5

ae4a2e2db65cd1fbcf3bc34fe2cd89f9
SHA1

5025965af3e3a5bf79629b90c9f8ba62546ee87f
SHA256

b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa
SHA512

34932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

easralahtane.ddns.net:3973

Mutex

d2affd0990860fff6a059dbd50f93a64

Attributes

reg_key
d2affd0990860fff6a059dbd50f93a64
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

taskhost .exe

pid process

1692 taskhost .exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1696 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe

pid process

544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe

pid	process
1692	taskhost .exe

pid	process
1696	netsh.exe

pid	process
544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taskhost .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\d2affd0990860fff6a059dbd50f93a64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskhost .exe\" .."	taskhost .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d2affd0990860fff6a059dbd50f93a64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\taskhost .exe\" .."	taskhost .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 6 IoCs

Processes:

ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "Sx1fcmIeumdurnNTZkqyrcmCrlKhOL1Nx/ZSs1awC9S4kqfGHkcJ98bqvVKqBAg1MjjS1cLze6lpCne+K8CLGCOWcw20khO7MA5A1QosZ3vFZ6l71P9e5/Q9fIYT/hoFtzX7nCneOEbTBCH/IVMBTR70dGyHo3Yimk0sUU92KtU="	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "X4KyyYwCH5jhONf+kSXiL4UiH7723f+0IVvfpPAPjSqtRGu7yNF+N200/periTXhwRq/ZheccaZq/YtLE84DAN4ivmYBbxCE11xM9wEBo8UhGceh4+K6zyfYtAaj0v0Qo/W4yV4wxtgU21ovte8hF5xAY3XI4LELhfHtiERDrLQ="	taskhost .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "KSlS897R5VadAqaYnXVvrU8YtLc4we3fs/ibVS/umtjyT66mEcVjT1vc2qc03jjuvSG33J1zltdokLQ4j+APrf7DJ4CLe/XmzQqbQzp1tz9+quAMcsYyFjau0aBtK3ei0HZOBChHYyzgL/OulrVS6YFFZUWefEcBLF2EzSxttAo="	taskhost .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}\1 = "rgyCtKI/Hw4TWs8IqmZJRp0OFo7NSOnQ0tRbyZPlH48y1olYAdF0SO6/raAY1obl/J8L0nzPaC6P4sxGLfaHJ0UY1u8zAXgzSNa+dac1eIq4ml1B2+Kn7VotbBVaZH1mRbLwOYwjRdLSrvGTUgsVh7XZb9+iag10BXW38lh7Y+4="	taskhost .exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID\{54006800-4F00-7500-5200-700043007100}	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\CID	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe

NTFS ADS 2 IoCs

Processes:

ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp:{2B005200-6900-6C00-7200-440042007700}	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp:{2B005200-6900-6C00-7200-440042007700}	taskhost .exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exe

pid process

544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
544 ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
1692 taskhost .exe
1692 taskhost .exe

pid	process
544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
1692	taskhost .exe
1692	taskhost .exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exe

description	pid	process
Token: SeDebugPrivilege	544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
Token: SeDebugPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe
Token: 33	1692	taskhost .exe
Token: SeIncBasePriorityPrivilege	1692	taskhost .exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exetaskhost .exe

description	pid	process	target process
PID 544 wrote to memory of 1692	544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe	taskhost .exe
PID 544 wrote to memory of 1692	544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe	taskhost .exe
PID 544 wrote to memory of 1692	544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe	taskhost .exe
PID 544 wrote to memory of 1692	544	ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe	taskhost .exe
PID 1692 wrote to memory of 1696	1692	taskhost .exe	netsh.exe
PID 1692 wrote to memory of 1696	1692	taskhost .exe	netsh.exe
PID 1692 wrote to memory of 1696	1692	taskhost .exe	netsh.exe
PID 1692 wrote to memory of 1696	1692	taskhost .exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe
"C:\Users\Admin\AppData\Local\Temp\ae4a2e2db65cd1fbcf3bc34fe2cd89f9.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\taskhost .exe
"C:\Users\Admin\AppData\Local\Temp\taskhost .exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost .exe" "taskhost .exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Isolated Storage\{2B005200-6900-6C00-7200-440042007700}
Filesize
344B

MD5
00194528aabdc8e6c061e9a26c38595e

SHA1
25f9fc2a5bb975499ea064b15a221523aa41a5e5

SHA256
c8c7a29d4781ed2947ab1e295c66ff9e20a311cf5b4cf811b68647f90b2d0d5e

SHA512
7a9cb0302a26d3443911e72068c6a3c09b1560c386d98a77e7848e3f9a6110fd567bad33d8ad8dbee268a09743b0abcbfc181d31de690a1c4d4001f13ddb4e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost .exe
Filesize
318KB

MD5
ae4a2e2db65cd1fbcf3bc34fe2cd89f9

SHA1
5025965af3e3a5bf79629b90c9f8ba62546ee87f

SHA256
b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa

SHA512
34932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost .exe
Filesize
318KB

MD5
ae4a2e2db65cd1fbcf3bc34fe2cd89f9

SHA1
5025965af3e3a5bf79629b90c9f8ba62546ee87f

SHA256
b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa

SHA512
34932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55

Download Submit
\Users\Admin\AppData\Local\Temp\taskhost .exe
Filesize
318KB

MD5
ae4a2e2db65cd1fbcf3bc34fe2cd89f9

SHA1
5025965af3e3a5bf79629b90c9f8ba62546ee87f

SHA256
b27e8f81c049d04a3fd97ff6863b987f16291d871f6ba92ca06f9f019956b8aa

SHA512
34932c17ddb36cb5df7126f0104e796a951a1f9a10778b9989e2cea3b12bc90825fcdadb6860163ac275fd4dbc4f2dde2de724155be593ccd64dadc0f1d2cc55

Download Submit
memory/544-54-0x0000000000CB0000-0x0000000000D06000-memory.dmp

Filesize
344KB

Download
memory/544-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/544-56-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/1692-58-0x0000000000000000-mapping.dmp

Download
memory/1692-62-0x00000000012B0000-0x0000000001306000-memory.dmp

Filesize
344KB

Download
memory/1696-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads