njrat | c30250a18d472e5c8379e8eaa939e0bf3cc87cfe991da6deba491a092afb0611

Analysis

max time kernel
30s
max time network
29s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
15-09-2022 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender Priv8 Version/Heart-Sender-V1.2.exe
Size

1.5MB
MD5

175d1484e55c5b6f16bff5631b92c171
SHA1

b11901746a8143c558877ea42dfa1221874bfba5
SHA256

7119d9570d888f5ffcb8f3c54d8d962fc87d83fbdd34c96b951acb3d2889777f
SHA512

93fa8f0b5401ef5d6069bfecec897267fae61888d82058973687bb13bcfa684d3c29249703774c889efe5ae91efda0957098f1c3fd4d7a0eccec86184104537c
SSDEEP

12288:+7qKAAwzaQa3lsZtsW2NH8d98AsmZF3ARZ0AsEye7Zm8TPXWP:2xJwzaQa3Pc98pmZFQ3WP

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

newpartyfrmaap.ddns.net:7070

Mutex

fb4647cd59a8f29058f4529d83344fa5

Attributes

reg_key
fb4647cd59a8f29058f4529d83344fa5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

WindowsApp1.exeHeart-Sender-V1.2.exeJavaUpdate.exe

pid process

1408 WindowsApp1.exe
4408 Heart-Sender-V1.2.exe
4796 JavaUpdate.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

532 netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1408	WindowsApp1.exe
4408	Heart-Sender-V1.2.exe
4796	JavaUpdate.exe

pid	process
532	netsh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Heart-Sender-V1.2.exeWindowsApp1.exeJavaUpdate.exe

description	pid	process	target process
PID 4544 wrote to memory of 1408	4544	Heart-Sender-V1.2.exe	WindowsApp1.exe
PID 4544 wrote to memory of 1408	4544	Heart-Sender-V1.2.exe	WindowsApp1.exe
PID 4544 wrote to memory of 1408	4544	Heart-Sender-V1.2.exe	WindowsApp1.exe
PID 4544 wrote to memory of 4408	4544	Heart-Sender-V1.2.exe	Heart-Sender-V1.2.exe
PID 4544 wrote to memory of 4408	4544	Heart-Sender-V1.2.exe	Heart-Sender-V1.2.exe
PID 4544 wrote to memory of 4408	4544	Heart-Sender-V1.2.exe	Heart-Sender-V1.2.exe
PID 1408 wrote to memory of 4796	1408	WindowsApp1.exe	JavaUpdate.exe
PID 1408 wrote to memory of 4796	1408	WindowsApp1.exe	JavaUpdate.exe
PID 1408 wrote to memory of 4796	1408	WindowsApp1.exe	JavaUpdate.exe
PID 4796 wrote to memory of 532	4796	JavaUpdate.exe	netsh.exe
PID 4796 wrote to memory of 532	4796	JavaUpdate.exe	netsh.exe
PID 4796 wrote to memory of 532	4796	JavaUpdate.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Heart-Sender Priv8 Version\Heart-Sender-V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender Priv8 Version\Heart-Sender-V1.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Roaming\JavaUpdate.exe
"C:\Users\Admin\AppData\Roaming\JavaUpdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\JavaUpdate.exe" "JavaUpdate.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:532

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe"
2⤵
- Executes dropped EXE
PID:4408

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe
Filesize
226KB

MD5
9c7691ff597e9efd7f796b31accb78e8

SHA1
81bb289aa37d182b60e86990376a375de7a8decc

SHA256
1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

SHA512
739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe
Filesize
226KB

MD5
9c7691ff597e9efd7f796b31accb78e8

SHA1
81bb289aa37d182b60e86990376a375de7a8decc

SHA256
1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

SHA512
739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
C:\Users\Admin\AppData\Roaming\JavaUpdate.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
C:\Users\Admin\AppData\Roaming\JavaUpdate.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
memory/532-384-0x0000000000000000-mapping.dmp

Download
memory/1408-286-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1408-192-0x0000000000000000-mapping.dmp

Download
memory/1408-267-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1408-272-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/4408-319-0x0000000009030000-0x0000000009052000-memory.dmp

Filesize
136KB

Download
memory/4408-282-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/4408-278-0x000000000A200000-0x000000000A6FE000-memory.dmp

Filesize
5.0MB

Download
memory/4408-277-0x00000000054B0000-0x0000000005568000-memory.dmp

Filesize
736KB

Download
memory/4408-302-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/4408-266-0x0000000000CF0000-0x0000000000D2E000-memory.dmp

Filesize
248KB

Download
memory/4408-316-0x0000000008C80000-0x0000000008FD0000-memory.dmp

Filesize
3.3MB

Download
memory/4408-199-0x0000000000000000-mapping.dmp

Download
memory/4544-157-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-167-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-153-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-154-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-155-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-156-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-158-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-159-0x00000000736C0000-0x0000000073C70000-memory.dmp

Filesize
5.7MB

Download
memory/4544-160-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-161-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-165-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-166-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-174-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-175-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-176-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-178-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-181-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-183-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-184-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-211-0x00000000736C0000-0x0000000073C70000-memory.dmp

Filesize
5.7MB

Download
memory/4544-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-127-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-126-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-125-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-124-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-123-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-120-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-122-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-121-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4796-340-0x0000000000000000-mapping.dmp

Download