njrat | 92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe
Size

29KB
MD5

3ce85fe3e09e4362b85907bf72b85310
SHA1

9ca267e54f0f93220ef04928b7baa254c8580d28
SHA256

92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12
SHA512

127480783bd3f797fd6dc2ae4db427ee1440927e08e58ab90612762b252a88bea277d5d0f452826409f23511cf86ca1441276a17ae275d1dc9e18e0047026241
SSDEEP

384:uFUHEBl7p3hUw2s7bD55gEKJmqDSqre/IDGBsbh0w4wlAokw9OhgOL1vYRGOZzNr:u57bUw2C3kEpqNreHBKh0p29SgR/x

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

klawess1.no-ip.org:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

1628 Trojan.exe
Loads dropped DLL 1 IoCs

Processes:

92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe

pid process

1652 92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1628	Trojan.exe

pid	process
1652	92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe

description	pid	process	target process
PID 1652 wrote to memory of 1628	1652	92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe	Trojan.exe
PID 1652 wrote to memory of 1628	1652	92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe	Trojan.exe
PID 1652 wrote to memory of 1628	1652	92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe	Trojan.exe
PID 1652 wrote to memory of 1628	1652	92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe
"C:\Users\Admin\AppData\Local\Temp\92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
2⤵
- Executes dropped EXE
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
3ce85fe3e09e4362b85907bf72b85310

SHA1
9ca267e54f0f93220ef04928b7baa254c8580d28

SHA256
92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12

SHA512
127480783bd3f797fd6dc2ae4db427ee1440927e08e58ab90612762b252a88bea277d5d0f452826409f23511cf86ca1441276a17ae275d1dc9e18e0047026241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
3ce85fe3e09e4362b85907bf72b85310

SHA1
9ca267e54f0f93220ef04928b7baa254c8580d28

SHA256
92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12

SHA512
127480783bd3f797fd6dc2ae4db427ee1440927e08e58ab90612762b252a88bea277d5d0f452826409f23511cf86ca1441276a17ae275d1dc9e18e0047026241

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
3ce85fe3e09e4362b85907bf72b85310

SHA1
9ca267e54f0f93220ef04928b7baa254c8580d28

SHA256
92f8727ac61832086aef0d6445d602d25a08688f7a6e5f09556654a24df7aa12

SHA512
127480783bd3f797fd6dc2ae4db427ee1440927e08e58ab90612762b252a88bea277d5d0f452826409f23511cf86ca1441276a17ae275d1dc9e18e0047026241

Download Submit
memory/1628-57-0x0000000000000000-mapping.dmp

Download
memory/1628-61-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-62-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download