njrat | c241359bb16c2f829556a085615e945964f419c8b6bf4fe057e074a42debc61d

General

Target

C241359BB16C2F829556A085615E945964F419C8B6BF4.exe
Size

37KB
MD5

baa72f0a4d0ec5929523d963530f918c
SHA1

69c59ca8edc4f143dabfb5b886ac134feae552ee
SHA256

c241359bb16c2f829556a085615e945964f419c8b6bf4fe057e074a42debc61d
SHA512

56e429c2590c290d7ecfcdfca5d219a51a9d00b61909483faca4cd4ba9dd9de250303e38d02198d1ae77ebd87207ba8d3c84d77ecb80cc17fcd6b975684b30c6
SSDEEP

384:Tqick7sgwi+tx3+j/NSyszg8QPBI3mmTlrAF+rMRTyN/0L+EcoinblneHQM3epzn:W5kQLCNhszg8QeWmBrM+rMRa8NuujQt

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

2.tcp.ngrok.io:15117

Mutex

0235ee83238daee159f7e9875fd5f233

Attributes

reg_key
0235ee83238daee159f7e9875fd5f233
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3316 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4896 netsh.exe

pid	process
3316	server.exe

pid	process
4896	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C241359BB16C2F829556A085615E945964F419C8B6BF4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	C241359BB16C2F829556A085615E945964F419C8B6BF4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe
Token: 33	3316	server.exe
Token: SeIncBasePriorityPrivilege	3316	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

C241359BB16C2F829556A085615E945964F419C8B6BF4.exeserver.exe

description	pid	process	target process
PID 4588 wrote to memory of 3316	4588	C241359BB16C2F829556A085615E945964F419C8B6BF4.exe	server.exe
PID 4588 wrote to memory of 3316	4588	C241359BB16C2F829556A085615E945964F419C8B6BF4.exe	server.exe
PID 4588 wrote to memory of 3316	4588	C241359BB16C2F829556A085615E945964F419C8B6BF4.exe	server.exe
PID 3316 wrote to memory of 4896	3316	server.exe	netsh.exe
PID 3316 wrote to memory of 4896	3316	server.exe	netsh.exe
PID 3316 wrote to memory of 4896	3316	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\C241359BB16C2F829556A085615E945964F419C8B6BF4.exe
"C:\Users\Admin\AppData\Local\Temp\C241359BB16C2F829556A085615E945964F419C8B6BF4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
37KB

MD5
baa72f0a4d0ec5929523d963530f918c

SHA1
69c59ca8edc4f143dabfb5b886ac134feae552ee

SHA256
c241359bb16c2f829556a085615e945964f419c8b6bf4fe057e074a42debc61d

SHA512
56e429c2590c290d7ecfcdfca5d219a51a9d00b61909483faca4cd4ba9dd9de250303e38d02198d1ae77ebd87207ba8d3c84d77ecb80cc17fcd6b975684b30c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
37KB

MD5
baa72f0a4d0ec5929523d963530f918c

SHA1
69c59ca8edc4f143dabfb5b886ac134feae552ee

SHA256
c241359bb16c2f829556a085615e945964f419c8b6bf4fe057e074a42debc61d

SHA512
56e429c2590c290d7ecfcdfca5d219a51a9d00b61909483faca4cd4ba9dd9de250303e38d02198d1ae77ebd87207ba8d3c84d77ecb80cc17fcd6b975684b30c6

Download Submit
memory/3316-133-0x0000000000000000-mapping.dmp

Download
memory/3316-137-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/3316-139-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4588-132-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4588-136-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4896-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads