njrat | 09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474

General

Target

09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
Size

110KB
MD5

e2244ad72eb4152a062e3eeb5ce1891d
SHA1

abfa32d92c0c32b380080f4ba15fbce5a72afb3e
SHA256

09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474
SHA512

0fbd09fb6ce628c416e0252fcfba5e5323f8c2383dff38dc246ea0f1e8e419d0e2b39af150823455f384442259a2d519e05ad25673bc91a7b3979eb425066d5f
SSDEEP

1536:I08asokr96ISsdi9wMEkDN63QqMOzOIuxUNUnSqo/f2cDTNX3pc4gggYiURpB5Rf:1sFrHSsW6gnXcUnS9fhHh3pHjGH2KgB

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

omarosama123456.ddns.net:1177

Mutex

456cebe97b6e0b79767853fec7f09165

Attributes

reg_key
456cebe97b6e0b79767853fec7f09165
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

System.exeSystem.exe

pid process

1896 System.exe
1620 System.exe

pid	process
1896	System.exe
1620	System.exe

Loads dropped DLL 2 IoCs

Processes:

09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe

pid	process
1688	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
1688	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exeSystem.exe

description	pid	process	target process
PID 2032 set thread context of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 1896 set thread context of 1620	1896	System.exe	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exeSystem.exe

pid	process
2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
1896	System.exe
1896	System.exe
1896	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exeSystem.exe

description	pid	process
Token: SeDebugPrivilege	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
Token: SeDebugPrivilege	1896	System.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exeSystem.exe

description	pid	process	target process
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 2032 wrote to memory of 1688	2032	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
PID 1688 wrote to memory of 1896	1688	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	System.exe
PID 1688 wrote to memory of 1896	1688	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	System.exe
PID 1688 wrote to memory of 1896	1688	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	System.exe
PID 1688 wrote to memory of 1896	1688	09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe
PID 1896 wrote to memory of 1620	1896	System.exe	System.exe

C:\Users\Admin\AppData\Local\Temp\09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
"C:\Users\Admin\AppData\Local\Temp\09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
C:\Users\Admin\AppData\Local\Temp\09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\System.exe
"C:\Users\Admin\AppData\Roaming\System.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
4⤵
- Executes dropped EXE
PID:1620

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\System.exe
Filesize
110KB

MD5
e2244ad72eb4152a062e3eeb5ce1891d

SHA1
abfa32d92c0c32b380080f4ba15fbce5a72afb3e

SHA256
09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474

SHA512
0fbd09fb6ce628c416e0252fcfba5e5323f8c2383dff38dc246ea0f1e8e419d0e2b39af150823455f384442259a2d519e05ad25673bc91a7b3979eb425066d5f

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe
Filesize
110KB

MD5
e2244ad72eb4152a062e3eeb5ce1891d

SHA1
abfa32d92c0c32b380080f4ba15fbce5a72afb3e

SHA256
09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474

SHA512
0fbd09fb6ce628c416e0252fcfba5e5323f8c2383dff38dc246ea0f1e8e419d0e2b39af150823455f384442259a2d519e05ad25673bc91a7b3979eb425066d5f

Download Submit
C:\Users\Admin\AppData\Roaming\System.exe
Filesize
110KB

MD5
e2244ad72eb4152a062e3eeb5ce1891d

SHA1
abfa32d92c0c32b380080f4ba15fbce5a72afb3e

SHA256
09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474

SHA512
0fbd09fb6ce628c416e0252fcfba5e5323f8c2383dff38dc246ea0f1e8e419d0e2b39af150823455f384442259a2d519e05ad25673bc91a7b3979eb425066d5f

Download Submit
\Users\Admin\AppData\Roaming\System.exe
Filesize
110KB

MD5
e2244ad72eb4152a062e3eeb5ce1891d

SHA1
abfa32d92c0c32b380080f4ba15fbce5a72afb3e

SHA256
09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474

SHA512
0fbd09fb6ce628c416e0252fcfba5e5323f8c2383dff38dc246ea0f1e8e419d0e2b39af150823455f384442259a2d519e05ad25673bc91a7b3979eb425066d5f

Download Submit
\Users\Admin\AppData\Roaming\System.exe
Filesize
110KB

MD5
e2244ad72eb4152a062e3eeb5ce1891d

SHA1
abfa32d92c0c32b380080f4ba15fbce5a72afb3e

SHA256
09a09aafb99588cd17b81a7c33fe66ca7813b4f9d68944b56ed05b3969f8e474

SHA512
0fbd09fb6ce628c416e0252fcfba5e5323f8c2383dff38dc246ea0f1e8e419d0e2b39af150823455f384442259a2d519e05ad25673bc91a7b3979eb425066d5f

Download Submit
memory/1620-76-0x000000000040749E-mapping.dmp

Download
memory/1688-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1688-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1688-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1688-64-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-73-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-57-0x000000000040749E-mapping.dmp

Download
memory/1896-74-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1896-69-0x0000000000000000-mapping.dmp

Download
memory/1896-79-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1896-80-0x0000000000B85000-0x0000000000B96000-memory.dmp

Filesize
68KB

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-63-0x0000000000245000-0x0000000000256000-memory.dmp

Filesize
68KB

Download
memory/2032-66-0x0000000000245000-0x0000000000256000-memory.dmp

Filesize
68KB

Download
memory/2032-65-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads