njrat | 5ba35a47705257d5a509f8797836cb288e690b8b1af07de5d19cf0ac9d96ecf2

Analysis

max time kernel
137s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-09-2022 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxyscrape Key Generator By PJ/Proxyscrape Key Generator.exe
Size

961KB
MD5

87209c33773be8965c3a1a81387c5e99
SHA1

d9ca7002529e6cc4ff246b0caa2588f58153415d
SHA256

b6f59af79ed2d64cb69d8c66fead974f5b73c66ddfa4e9dd0db7e33a1b7a51a8
SHA512

8b4871009b83e27eb73104531c4bdac24f3f99146feddf1289f0683421699f961deffb7bf0497d1314252023bb0d4bd9636c53c064f4d80813d32a54ab56d1da
SSDEEP

6144:nUSUpHEa0jT7M7eJYsECpHHJjX4pLEBpBSKwTO/ANtL57u2A6z93g67ws8atQ73Q:IaJzYonlwTOOD7GCQEwraNZdevKwg9P

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

blog.hackcrack.io:8081

Mutex

ca86f672d0ce2b751cd00487354a1da0

Attributes

reg_key
ca86f672d0ce2b751cd00487354a1da0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

Setup.exeSetup.exeProxyscrape Key Generator .exesvchost.exeexplorer.exe

pid process

1832 Setup.exe
1996 Setup.exe
2044 Proxyscrape Key Generator .exe
1300 svchost.exe
1880 explorer.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1576 netsh.exe

pid	process
1832	Setup.exe
1996	Setup.exe
2044	Proxyscrape Key Generator .exe
1300	svchost.exe
1880	explorer.exe

pid	process
1576	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Setup.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 1880 set thread context of 1148 1880 explorer.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

explorer.exe

pid process

1880 explorer.exe
1880 explorer.exe
1880 explorer.exe

description	pid	process	target process
PID 1880 set thread context of 1148	1880	explorer.exe	RegAsm.exe

pid	process
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

explorer.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1880	explorer.exe
Token: SeDebugPrivilege	1148	RegAsm.exe
Token: 33	1148	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1148	RegAsm.exe
Token: 33	1148	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1148	RegAsm.exe
Token: 33	1148	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1148	RegAsm.exe
Token: 33	1148	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1148	RegAsm.exe
Token: 33	1148	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1148	RegAsm.exe
Token: 33	1148	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1148	RegAsm.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Proxyscrape Key Generator.exeSetup.exesvchost.exeexplorer.exeRegAsm.exe

description	pid	process	target process
PID 1604 wrote to memory of 1832	1604	Proxyscrape Key Generator.exe	Setup.exe
PID 1604 wrote to memory of 1832	1604	Proxyscrape Key Generator.exe	Setup.exe
PID 1604 wrote to memory of 1832	1604	Proxyscrape Key Generator.exe	Setup.exe
PID 1604 wrote to memory of 1996	1604	Proxyscrape Key Generator.exe	Setup.exe
PID 1604 wrote to memory of 1996	1604	Proxyscrape Key Generator.exe	Setup.exe
PID 1604 wrote to memory of 1996	1604	Proxyscrape Key Generator.exe	Setup.exe
PID 1604 wrote to memory of 2044	1604	Proxyscrape Key Generator.exe	Proxyscrape Key Generator .exe
PID 1604 wrote to memory of 2044	1604	Proxyscrape Key Generator.exe	Proxyscrape Key Generator .exe
PID 1604 wrote to memory of 2044	1604	Proxyscrape Key Generator.exe	Proxyscrape Key Generator .exe
PID 1604 wrote to memory of 2044	1604	Proxyscrape Key Generator.exe	Proxyscrape Key Generator .exe
PID 1832 wrote to memory of 1300	1832	Setup.exe	svchost.exe
PID 1832 wrote to memory of 1300	1832	Setup.exe	svchost.exe
PID 1832 wrote to memory of 1300	1832	Setup.exe	svchost.exe
PID 1300 wrote to memory of 1880	1300	svchost.exe	explorer.exe
PID 1300 wrote to memory of 1880	1300	svchost.exe	explorer.exe
PID 1300 wrote to memory of 1880	1300	svchost.exe	explorer.exe
PID 1880 wrote to memory of 1428	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1428	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1428	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1428	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1428	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1428	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1428	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1880 wrote to memory of 1148	1880	explorer.exe	RegAsm.exe
PID 1148 wrote to memory of 1576	1148	RegAsm.exe	netsh.exe
PID 1148 wrote to memory of 1576	1148	RegAsm.exe	netsh.exe
PID 1148 wrote to memory of 1576	1148	RegAsm.exe	netsh.exe
PID 1148 wrote to memory of 1576	1148	RegAsm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Proxyscrape Key Generator By PJ\Proxyscrape Key Generator.exe
"C:\Users\Admin\AppData\Local\Temp\Proxyscrape Key Generator By PJ\Proxyscrape Key Generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
#cmd
5⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
#cmd
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:1576

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\Proxyscrape Key Generator By PJ\Proxyscrape Key Generator .exe
"C:\Users\Admin\AppData\Local\Temp\Proxyscrape Key Generator By PJ\Proxyscrape Key Generator .exe"
2⤵
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Proxyscrape Key Generator By PJ\Proxyscrape Key Generator .exe
Filesize
489KB

MD5
985811799cafbdf632ab7244cb1b3395

SHA1
62eab405913db4bd4af3e600d166c43de610d0a4

SHA256
0628fad19899c54aae33710ffd38f326349445e93f3bf05ae052479647545c55

SHA512
d10b696af607d8977787d117dec00de9223a7d3eed99799703f51500fa1954ba8536052d2c3d2f0cda83d8a6c872c6fabc2184db2d1a9ff25d737613def937f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxyscrape Key Generator By PJ\Proxyscrape Key Generator .exe
Filesize
489KB

MD5
985811799cafbdf632ab7244cb1b3395

SHA1
62eab405913db4bd4af3e600d166c43de610d0a4

SHA256
0628fad19899c54aae33710ffd38f326349445e93f3bf05ae052479647545c55

SHA512
d10b696af607d8977787d117dec00de9223a7d3eed99799703f51500fa1954ba8536052d2c3d2f0cda83d8a6c872c6fabc2184db2d1a9ff25d737613def937f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
453KB

MD5
32d785752249c44e16fbcfb314714ba7

SHA1
2d7fe4bad7d7e293db1dc5f3a03115c21c817c22

SHA256
fbb38dc329ee921d8f22619dba7ba1e7a63b6fb0ff172aae8a46a608048a883f

SHA512
a6d66ddfbbaa1f1039d8a989fcc619a21442dececa1f768e5c2b1066e5092718abc5d47b0f18f42819cb646b3e6ed741b77d07989a48e1556565e74568ef83f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
453KB

MD5
32d785752249c44e16fbcfb314714ba7

SHA1
2d7fe4bad7d7e293db1dc5f3a03115c21c817c22

SHA256
fbb38dc329ee921d8f22619dba7ba1e7a63b6fb0ff172aae8a46a608048a883f

SHA512
a6d66ddfbbaa1f1039d8a989fcc619a21442dececa1f768e5c2b1066e5092718abc5d47b0f18f42819cb646b3e6ed741b77d07989a48e1556565e74568ef83f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
453KB

MD5
32d785752249c44e16fbcfb314714ba7

SHA1
2d7fe4bad7d7e293db1dc5f3a03115c21c817c22

SHA256
fbb38dc329ee921d8f22619dba7ba1e7a63b6fb0ff172aae8a46a608048a883f

SHA512
a6d66ddfbbaa1f1039d8a989fcc619a21442dececa1f768e5c2b1066e5092718abc5d47b0f18f42819cb646b3e6ed741b77d07989a48e1556565e74568ef83f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
209KB

MD5
8b670cc6298f430313a1eda996a13793

SHA1
cbd88ba7c0c8f5a2ae0e3e051d0495d4083e3c9b

SHA256
ed424aee893a9f9b100ad566a305c08955566c816d07765e7866b81b80527ea4

SHA512
20ccd37e496ee5ef918eb5b05248c0a0b9191c857270b6f6e4d19df643f1631b4b0a917ead8a050b6f52073de804c5b490c1b02a4938372251eb94aafa8dea54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
209KB

MD5
8b670cc6298f430313a1eda996a13793

SHA1
cbd88ba7c0c8f5a2ae0e3e051d0495d4083e3c9b

SHA256
ed424aee893a9f9b100ad566a305c08955566c816d07765e7866b81b80527ea4

SHA512
20ccd37e496ee5ef918eb5b05248c0a0b9191c857270b6f6e4d19df643f1631b4b0a917ead8a050b6f52073de804c5b490c1b02a4938372251eb94aafa8dea54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
320KB

MD5
ef59e792e42a91556d66354bbb706161

SHA1
a09673e4a591c6588cd0322003aea74da9719469

SHA256
4d160114b554d1df65b045d5daee127fe780789f20e79d9330a55055ba00fef0

SHA512
bc25dbcb9874e71ab4cd4f9b8445833600b01d29323e6f7e3c57794e828a3f925360a8d700d9648d751d5f6ba7dd23a345c20fbaf10ce161458c27fed3e1eebd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
320KB

MD5
ef59e792e42a91556d66354bbb706161

SHA1
a09673e4a591c6588cd0322003aea74da9719469

SHA256
4d160114b554d1df65b045d5daee127fe780789f20e79d9330a55055ba00fef0

SHA512
bc25dbcb9874e71ab4cd4f9b8445833600b01d29323e6f7e3c57794e828a3f925360a8d700d9648d751d5f6ba7dd23a345c20fbaf10ce161458c27fed3e1eebd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
Filesize
209KB

MD5
8b670cc6298f430313a1eda996a13793

SHA1
cbd88ba7c0c8f5a2ae0e3e051d0495d4083e3c9b

SHA256
ed424aee893a9f9b100ad566a305c08955566c816d07765e7866b81b80527ea4

SHA512
20ccd37e496ee5ef918eb5b05248c0a0b9191c857270b6f6e4d19df643f1631b4b0a917ead8a050b6f52073de804c5b490c1b02a4938372251eb94aafa8dea54

Download Submit
memory/1148-99-0x000000006ED70000-0x000000006F31B000-memory.dmp

Filesize
5.7MB

Download
memory/1148-89-0x000000000040747E-mapping.dmp

Download
memory/1148-88-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1148-87-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1148-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1148-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1148-95-0x000000006ED70000-0x000000006F31B000-memory.dmp

Filesize
5.7MB

Download
memory/1148-91-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1148-83-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1148-93-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1300-69-0x0000000000000000-mapping.dmp

Download
memory/1300-73-0x000007FEF2970000-0x000007FEF3A06000-memory.dmp

Filesize
16.6MB

Download
memory/1300-72-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1576-97-0x0000000000000000-mapping.dmp

Download
memory/1604-56-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1604-55-0x000007FEF2760000-0x000007FEF37F6000-memory.dmp

Filesize
16.6MB

Download
memory/1604-54-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1832-57-0x0000000000000000-mapping.dmp

Download
memory/1832-67-0x000007FEF2520000-0x000007FEF35B6000-memory.dmp

Filesize
16.6MB

Download
memory/1832-60-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1880-78-0x0000000000000000-mapping.dmp

Download
memory/1880-81-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1996-64-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1996-68-0x000007FEF2520000-0x000007FEF35B6000-memory.dmp

Filesize
16.6MB

Download
memory/1996-61-0x0000000000000000-mapping.dmp

Download
memory/2044-63-0x0000000000000000-mapping.dmp

Download
memory/2044-82-0x0000000005430000-0x0000000005472000-memory.dmp

Filesize
264KB

Download
memory/2044-77-0x0000000004ED5000-0x0000000004EE6000-memory.dmp

Filesize
68KB

Download
memory/2044-76-0x0000000004ED5000-0x0000000004EE6000-memory.dmp

Filesize
68KB

Download
memory/2044-75-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/2044-74-0x0000000000A50000-0x0000000000AD2000-memory.dmp

Filesize
520KB

Download