njrat | ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b

General

Target

ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe
Size

28KB
MD5

6f7b60a58bf66f8ec4f0bd9855a64900
SHA1

a28b06783289a0d142f32d0104e69bb3cc61ec34
SHA256

ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b
SHA512

0aed5abb9244a42dd905972078f6c8707a3c242e2800ca0a025033d34c5e933f5f207496c4a597e9972df33a807cff093a1d03c091f8fbae364ad7604cd62222
SSDEEP

768:SK7ZW4Oakw1BnX7oqsKuelBKh0p29SgR3R:SK78oEJKLKhG29j3R

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

kurd-expert.ddns.net:1177

Mutex

9d40b6eb9ca0a7f1a306069df9bc9136

Attributes

reg_key
9d40b6eb9ca0a7f1a306069df9bc9136
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

trojan.exe

pid process

448 trojan.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4088 netsh.exe

pid	process
4088	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9d40b6eb9ca0a7f1a306069df9bc9136 = "\"C:\\Users\\Admin\\AppData\\Roaming\\trojan.exe\" .."	trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9d40b6eb9ca0a7f1a306069df9bc9136 = "\"C:\\Users\\Admin\\AppData\\Roaming\\trojan.exe\" .."	trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

trojan.exe

pid	process
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe
448	trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

trojan.exe

description pid process

Token: SeDebugPrivilege 448 trojan.exe

description	pid	process
Token: SeDebugPrivilege	448	trojan.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exetrojan.exe

description	pid	process	target process
PID 2252 wrote to memory of 448	2252	ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe	trojan.exe
PID 2252 wrote to memory of 448	2252	ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe	trojan.exe
PID 2252 wrote to memory of 448	2252	ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe	trojan.exe
PID 448 wrote to memory of 4088	448	trojan.exe	netsh.exe
PID 448 wrote to memory of 4088	448	trojan.exe	netsh.exe
PID 448 wrote to memory of 4088	448	trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe
"C:\Users\Admin\AppData\Local\Temp\ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Roaming\trojan.exe
  "C:\Users\Admin\AppData\Roaming\trojan.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\trojan.exe" "trojan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\trojan.exe

Filesize
28KB

MD5
6f7b60a58bf66f8ec4f0bd9855a64900

SHA1
a28b06783289a0d142f32d0104e69bb3cc61ec34

SHA256
ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b

SHA512
0aed5abb9244a42dd905972078f6c8707a3c242e2800ca0a025033d34c5e933f5f207496c4a597e9972df33a807cff093a1d03c091f8fbae364ad7604cd62222

Download Submit
C:\Users\Admin\AppData\Roaming\trojan.exe

Filesize
28KB

MD5
6f7b60a58bf66f8ec4f0bd9855a64900

SHA1
a28b06783289a0d142f32d0104e69bb3cc61ec34

SHA256
ad27f82898cc7f747782543f55590d4b689e473b54158db4b27a4eb69b54e66b

SHA512
0aed5abb9244a42dd905972078f6c8707a3c242e2800ca0a025033d34c5e933f5f207496c4a597e9972df33a807cff093a1d03c091f8fbae364ad7604cd62222

Download Submit
memory/448-133-0x0000000000000000-mapping.dmp

Download
memory/448-138-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/448-139-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/2252-132-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/2252-136-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/4088-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads