njrat | 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0

Analysis

max time kernel
34s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe
Size

29KB
MD5

6653deab44e0c1931da98843a74d52b0
SHA1

3412af8e3fde42c3cca0ba6e5e90783d0a5b1e03
SHA256

991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0
SHA512

50d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053
SSDEEP

384:ugJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOZo:K7nMsanzR+2cqEDveyBKh0p29SgRuz

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

trojanhackninja.ddns.net:2015

Mutex

5607fa2f78a79f2f2e754f5a87fb64d1

Attributes

reg_key
5607fa2f78a79f2f2e754f5a87fb64d1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

eZ.exe

pid process

1340 eZ.exe
Loads dropped DLL 1 IoCs

Processes:

991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe

pid process

288 991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1340	eZ.exe

pid	process
288	991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe

description	pid	process	target process
PID 288 wrote to memory of 1340	288	991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe	eZ.exe
PID 288 wrote to memory of 1340	288	991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe	eZ.exe
PID 288 wrote to memory of 1340	288	991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe	eZ.exe
PID 288 wrote to memory of 1340	288	991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe	eZ.exe

C:\Users\Admin\AppData\Local\Temp\991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe
"C:\Users\Admin\AppData\Local\Temp\991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Local\Temp\eZ.exe
"C:\Users\Admin\AppData\Local\Temp\eZ.exe"
2⤵
- Executes dropped EXE
PID:1340

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eZ.exe
Filesize
29KB

MD5
6653deab44e0c1931da98843a74d52b0

SHA1
3412af8e3fde42c3cca0ba6e5e90783d0a5b1e03

SHA256
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0

SHA512
50d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZ.exe
Filesize
29KB

MD5
6653deab44e0c1931da98843a74d52b0

SHA1
3412af8e3fde42c3cca0ba6e5e90783d0a5b1e03

SHA256
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0

SHA512
50d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053

Download Submit
\Users\Admin\AppData\Local\Temp\eZ.exe
Filesize
29KB

MD5
6653deab44e0c1931da98843a74d52b0

SHA1
3412af8e3fde42c3cca0ba6e5e90783d0a5b1e03

SHA256
991e78566446c860f859905c0d4f0529ab5daa9f3792b6206b75e5eab2eaeaa0

SHA512
50d3be3173d8bfe807dc20a31a46cd22e4cd0928939f96cfcc5837dfe8de83517b798c618130a36a9269e0dd9e2d34582889201304e3fd95f95ce3bd811ca053

Download Submit
memory/288-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/288-60-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/1340-56-0x0000000000000000-mapping.dmp

Download
memory/1340-61-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download