Overview

overview

10

Static

static

10

4ff6f79a49...76.exe

windows7-x64

10

4ff6f79a49...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ff6f79a49a97dc667f24ba8cda3a576.exe

  • Size

    43KB

  • MD5

    4ff6f79a49a97dc667f24ba8cda3a576

  • SHA1

    58b180568f77a147d272b46fa68789624b1cdd23

  • SHA256

    e0f6b466d18506eb16846285e03c050fe0f72dfcaaf55809c717ebc0c38de4f3

  • SHA512

    a52d861995e405f5ea4a3727a74d39c35ec92cd0659e1ea0af95267d2bb2db8519d394a240ec9abfa5ade1912dc4393d8828916a636c514202b2404a3e827a29

  • SSDEEP

    384:YZyd4g98NaIyrRBb3yw+IEJiE7azsIij+ZsNO3PlpJKkkjh/TzF7pWnd/greT0pO:u8ywFrjb3ynRwuXQ/oo/+L

Score
10/10
njrathackedtrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

4.tcp.eu.ngrok.io:18018

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ff6f79a49a97dc667f24ba8cda3a576.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff6f79a49a97dc667f24ba8cda3a576.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:4340
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
        PID:2700

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      43KB

      MD5

      4ff6f79a49a97dc667f24ba8cda3a576

      SHA1

      58b180568f77a147d272b46fa68789624b1cdd23

      SHA256

      e0f6b466d18506eb16846285e03c050fe0f72dfcaaf55809c717ebc0c38de4f3

      SHA512

      a52d861995e405f5ea4a3727a74d39c35ec92cd0659e1ea0af95267d2bb2db8519d394a240ec9abfa5ade1912dc4393d8828916a636c514202b2404a3e827a29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      43KB

      MD5

      4ff6f79a49a97dc667f24ba8cda3a576

      SHA1

      58b180568f77a147d272b46fa68789624b1cdd23

      SHA256

      e0f6b466d18506eb16846285e03c050fe0f72dfcaaf55809c717ebc0c38de4f3

      SHA512

      a52d861995e405f5ea4a3727a74d39c35ec92cd0659e1ea0af95267d2bb2db8519d394a240ec9abfa5ade1912dc4393d8828916a636c514202b2404a3e827a29

      Download Submit
    • memory/2700-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2700-139-0x0000000005850000-0x000000000585A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2700-140-0x0000000005A90000-0x0000000005AF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4340-132-0x0000000000B90000-0x0000000000BA2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4340-133-0x0000000005570000-0x000000000560C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4340-135-0x00000000059A0000-0x0000000005A32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4340-134-0x0000000005EB0000-0x0000000006454000-memory.dmp
      Filesize

      5.6MB

      Download