njrat | 28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e

General

Target

28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exe
Size

256KB
MD5

73bd3bdeb4a75c3ff74a7935ddac9c80
SHA1

6ce1bd6708038d57673a06052940f30e318ffdb1
SHA256

28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e
SHA512

bcad6326216c1f38f746c04b983b62935c81c61857e02a1825ad4e58d0f0d7cff4e1821c2ded20e8e81145fb6041dc7034d723030a19d18571eca5a0cbb4c4d2
SSDEEP

6144:RmfAQ369AGxNWJHzMK7pqfeJs4s1zLnlBX+UVes/d:RvVxN4HzLq2KxBX+AeG

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

win123.no-ip.biz:1177

Mutex

470fceaa18ffd7ea15451e9bd351fd87

Attributes

reg_key
470fceaa18ffd7ea15451e9bd351fd87
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

LocalbcN_WXrQOb.exeFirefox.exe

pid process

1496 LocalbcN_WXrQOb.exe
760 Firefox.exe
Loads dropped DLL 1 IoCs

Processes:

LocalbcN_WXrQOb.exe

pid process

1496 LocalbcN_WXrQOb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1496	LocalbcN_WXrQOb.exe
760	Firefox.exe

pid	process
1496	LocalbcN_WXrQOb.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exeLocalbcN_WXrQOb.exe

description	pid	process	target process
PID 784 wrote to memory of 1496	784	28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exe	LocalbcN_WXrQOb.exe
PID 784 wrote to memory of 1496	784	28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exe	LocalbcN_WXrQOb.exe
PID 784 wrote to memory of 1496	784	28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exe	LocalbcN_WXrQOb.exe
PID 784 wrote to memory of 1496	784	28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exe	LocalbcN_WXrQOb.exe
PID 1496 wrote to memory of 760	1496	LocalbcN_WXrQOb.exe	Firefox.exe
PID 1496 wrote to memory of 760	1496	LocalbcN_WXrQOb.exe	Firefox.exe
PID 1496 wrote to memory of 760	1496	LocalbcN_WXrQOb.exe	Firefox.exe
PID 1496 wrote to memory of 760	1496	LocalbcN_WXrQOb.exe	Firefox.exe

C:\Users\Admin\AppData\Local\Temp\28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exe
"C:\Users\Admin\AppData\Local\Temp\28d0076db09d89709ef2d882d69aa9a171fceb3c12669b28c46e08ce64ed700e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\LocalbcN_WXrQOb.exe
"C:\Users\Admin\AppData\LocalbcN_WXrQOb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496

C:\ProgramData\Firefox.exe
"C:\ProgramData\Firefox.exe"
3⤵
- Executes dropped EXE
PID:760

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Firefox.exe
Filesize
29KB

MD5
42484c5a2b76757e8bdc1e48ce71be74

SHA1
10a130799ef29aa0be4b93147859510b54f09b22

SHA256
933c8a326c3f52412684d20ac9bfa1fa0a78cef6d7a8f9719dd19a799d74565c

SHA512
4c7fbce06cdb2e4d82ffbc79dfaa8161d7b8264589d3109e913cc61ea7dfb6071cf5dc301b065c4430d40ea51c18420f8efcedaf1dc4d8333555b5f41dd4be09

Download Submit
C:\ProgramData\Firefox.exe
Filesize
29KB

MD5
42484c5a2b76757e8bdc1e48ce71be74

SHA1
10a130799ef29aa0be4b93147859510b54f09b22

SHA256
933c8a326c3f52412684d20ac9bfa1fa0a78cef6d7a8f9719dd19a799d74565c

SHA512
4c7fbce06cdb2e4d82ffbc79dfaa8161d7b8264589d3109e913cc61ea7dfb6071cf5dc301b065c4430d40ea51c18420f8efcedaf1dc4d8333555b5f41dd4be09

Download Submit
C:\Users\Admin\AppData\LocalbcN_WXrQOb.exe
Filesize
29KB

MD5
42484c5a2b76757e8bdc1e48ce71be74

SHA1
10a130799ef29aa0be4b93147859510b54f09b22

SHA256
933c8a326c3f52412684d20ac9bfa1fa0a78cef6d7a8f9719dd19a799d74565c

SHA512
4c7fbce06cdb2e4d82ffbc79dfaa8161d7b8264589d3109e913cc61ea7dfb6071cf5dc301b065c4430d40ea51c18420f8efcedaf1dc4d8333555b5f41dd4be09

Download Submit
C:\Users\Admin\AppData\LocalbcN_WXrQOb.exe
Filesize
29KB

MD5
42484c5a2b76757e8bdc1e48ce71be74

SHA1
10a130799ef29aa0be4b93147859510b54f09b22

SHA256
933c8a326c3f52412684d20ac9bfa1fa0a78cef6d7a8f9719dd19a799d74565c

SHA512
4c7fbce06cdb2e4d82ffbc79dfaa8161d7b8264589d3109e913cc61ea7dfb6071cf5dc301b065c4430d40ea51c18420f8efcedaf1dc4d8333555b5f41dd4be09

Download Submit
\ProgramData\Firefox.exe
Filesize
29KB

MD5
42484c5a2b76757e8bdc1e48ce71be74

SHA1
10a130799ef29aa0be4b93147859510b54f09b22

SHA256
933c8a326c3f52412684d20ac9bfa1fa0a78cef6d7a8f9719dd19a799d74565c

SHA512
4c7fbce06cdb2e4d82ffbc79dfaa8161d7b8264589d3109e913cc61ea7dfb6071cf5dc301b065c4430d40ea51c18420f8efcedaf1dc4d8333555b5f41dd4be09

Download Submit
memory/760-63-0x0000000000000000-mapping.dmp

Download
memory/760-67-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/760-69-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/784-59-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/784-54-0x000007FEF3D10000-0x000007FEF4733000-memory.dmp

Filesize
10.1MB

Download
memory/784-55-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1496-60-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1496-61-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-56-0x0000000000000000-mapping.dmp

Download
memory/1496-68-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing