njrat | 76de9acdc679b628b2982e417d9b9d3329841439f9ccfb70e4e11e162ec1eb68

General

Target

2944260deaa025272074f9a2ac84ffd7.exe
Size

347KB
MD5

2944260deaa025272074f9a2ac84ffd7
SHA1

18aa80fcd4efade56a68ce67a38f8e148d38e863
SHA256

76de9acdc679b628b2982e417d9b9d3329841439f9ccfb70e4e11e162ec1eb68
SHA512

84e15d0cef4d0a34fecb7238aa3e02c2ecd19e0e5beb1474d6c8cb74b40eaae3e097455b2e2a71a6ae02113192a67f52149231313a9e992a9c13c4da22366653
SSDEEP

6144:SiDdgU7fEMhpd2cBcr39lIKdK8RKzd+jAYLToFYAah+eCH5+Hn0Su34KB:1fEWpdPKrNlIKdK8RKwOXo+J4H0SQ

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOC50Y3AuZXUubmdyb2suaW8Strik:MTU4OTA=

Mutex

0ec537396f8c89c665c6c857f7fa4b8a

Attributes

reg_key
0ec537396f8c89c665c6c857f7fa4b8a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Server.exeserver.exe

pid process

316 Server.exe
4460 server.exe
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

4052 netsh.exe
804 netsh.exe
3092 netsh.exe

pid	process
316	Server.exe
4460	server.exe

pid	process
4052	netsh.exe
804	netsh.exe
3092	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2944260deaa025272074f9a2ac84ffd7.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2944260deaa025272074f9a2ac84ffd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

4460 server.exe

pid	process
4460	server.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe
Token: 33	4460	server.exe
Token: SeIncBasePriorityPrivilege	4460	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2944260deaa025272074f9a2ac84ffd7.exeServer.exeserver.exe

description	pid	process	target process
PID 4644 wrote to memory of 316	4644	2944260deaa025272074f9a2ac84ffd7.exe	Server.exe
PID 4644 wrote to memory of 316	4644	2944260deaa025272074f9a2ac84ffd7.exe	Server.exe
PID 4644 wrote to memory of 316	4644	2944260deaa025272074f9a2ac84ffd7.exe	Server.exe
PID 316 wrote to memory of 4460	316	Server.exe	server.exe
PID 316 wrote to memory of 4460	316	Server.exe	server.exe
PID 316 wrote to memory of 4460	316	Server.exe	server.exe
PID 4460 wrote to memory of 804	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 804	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 804	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 3092	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 3092	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 3092	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 4052	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 4052	4460	server.exe	netsh.exe
PID 4460 wrote to memory of 4052	4460	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe
"C:\Users\Admin\AppData\Local\Temp\2944260deaa025272074f9a2ac84ffd7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:804

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Modifies Windows Firewall
PID:3092

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Server.exe
Filesize
93KB

MD5
6633e4a02ef0a596391274133458fe08

SHA1
194b28b1494dd31941e2404094034a55062fdc86

SHA256
af57cecf462d2f8321a842aca1566a9629d2315958a7a0252ca8c8e7e0e993d7

SHA512
449e6ae83ce6d82be9b9e90c3fd07ac358c4cb8f3d8fc273057de7caa59cf51bbdb55b03cf063c5651cf8d23354cd3d178830ad580301c2764bec7c0b21842ba

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
b66e20886f9675fe4dbf430ea2d0bf8d

SHA1
2e676da72201e6e4482e00b300511900c6aee5a0

SHA256
899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414

SHA512
f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

Download Submit
memory/316-133-0x0000000000000000-mapping.dmp

Download
memory/316-147-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/316-137-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/804-144-0x0000000000000000-mapping.dmp

Download
memory/3092-145-0x0000000000000000-mapping.dmp

Download
memory/4052-146-0x0000000000000000-mapping.dmp

Download
memory/4460-138-0x0000000000000000-mapping.dmp

Download
memory/4460-143-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4460-148-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4644-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4644-136-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads