njrat | e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe
Size

243KB
MD5

6b695a7b241359cba5a4e94751902d90
SHA1

684bde72a7a20d6db8f7d81e6f6dadfd9b8a44ab
SHA256

e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df
SHA512

93e406ec9ba9d91f5878989d7973817b6eac75d0d13a80920e4fd9f669619ea4e54038970b30691ad049775f838b646915d84f3cab127d4cfcbe6a4cfdf0deba
SSDEEP

6144:GWzpIiSxD3vAJVbG+KxRTnGeM8GCsMbH6eKKN:XzCiOrIFbK3aerZjK

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

toshiba.no-ip.biz:1177

Mutex

5f7f79738df89bca155327b166914425

Attributes

reg_key
5f7f79738df89bca155327b166914425
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

663.exe

pid process

896 663.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

676 netsh.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

663.exe

pid process

896 663.exe
896 663.exe
896 663.exe
896 663.exe
896 663.exe
896 663.exe
896 663.exe
896 663.exe
896 663.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

663.exe

description pid process

Token: SeDebugPrivilege 896 663.exe

pid	process
896	663.exe

pid	process
676	netsh.exe

pid	process
896	663.exe
896	663.exe
896	663.exe
896	663.exe
896	663.exe
896	663.exe
896	663.exe
896	663.exe
896	663.exe

description	pid	process
Token: SeDebugPrivilege	896	663.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe663.exe

description	pid	process	target process
PID 1544 wrote to memory of 896	1544	e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe	663.exe
PID 1544 wrote to memory of 896	1544	e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe	663.exe
PID 1544 wrote to memory of 896	1544	e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe	663.exe
PID 896 wrote to memory of 676	896	663.exe	netsh.exe
PID 896 wrote to memory of 676	896	663.exe	netsh.exe
PID 896 wrote to memory of 676	896	663.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe
"C:\Users\Admin\AppData\Local\Temp\e1d8fd036bb1ad32351420c825491672f6c423419cede6e3f16096a989e066df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\663.exe
  C:\Users\Admin\AppData\Local\Temp\663.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\663.exe" "663.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\663.exe

Filesize
25KB

MD5
7aab149914450a3c3ea4c9a3f99ebb40

SHA1
fa8f8a70da5ad262681ebb281742ae1df3e3ce5e

SHA256
145b1c8660a52b6ae1a37bf489f1d388af9c3788caa352044149ccac0e08507a

SHA512
8bdf5aca54b92ca167c6a64f81a7489cb7330f32d7872ed624c7071570b6f5d9b25f21c36e970b88df3b9b539bf8aae4dc5dee2b852858ac95a7ad230b6b2f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\663.exe

Filesize
25KB

MD5
7aab149914450a3c3ea4c9a3f99ebb40

SHA1
fa8f8a70da5ad262681ebb281742ae1df3e3ce5e

SHA256
145b1c8660a52b6ae1a37bf489f1d388af9c3788caa352044149ccac0e08507a

SHA512
8bdf5aca54b92ca167c6a64f81a7489cb7330f32d7872ed624c7071570b6f5d9b25f21c36e970b88df3b9b539bf8aae4dc5dee2b852858ac95a7ad230b6b2f7f

Download Submit
memory/676-65-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/676-64-0x0000000000000000-mapping.dmp

Download
memory/896-60-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/896-57-0x0000000000000000-mapping.dmp

Download
memory/896-61-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/896-62-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/896-63-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/896-66-0x000000001B226000-0x000000001B245000-memory.dmp

Filesize
124KB

Download
memory/896-67-0x000000001B226000-0x000000001B245000-memory.dmp

Filesize
124KB

Download
memory/1544-54-0x0000000000B60000-0x0000000000BA4000-memory.dmp

Filesize
272KB

Download
memory/1544-56-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/1544-55-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download