njrat | 25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd

Analysis

max time kernel
152s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe
Size

228KB
MD5

011bb75fb268a7d8ec0c65176bb18570
SHA1

1ad5b8251012ef4aa1c968c8a97ebdb3eeb48999
SHA256

25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd
SHA512

ecfbca52a9fcc833d3a5a271172e3ef483bbbf076e9255f8922f7434c291d85f3a8967973777a032186f9bc7e57b463cb7d7d9c94b58b1dbb98ffb619b5442c4
SSDEEP

3072:PNR8MhW0lc+5cTpk6nq0l90o+VEz4vel4f2ZnZKfNsJQ1cZiQ8:Pp/lc3pk+91z4vV2nWS8

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

sex4233.no-ip.biz:1177

Mutex

573ca50cfe6c999db883b04b1fd23b44

Attributes

reg_key
573ca50cfe6c999db883b04b1fd23b44
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

goog1le.exe

pid process

2016 goog1le.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1124 netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

goog1le.exe

pid process

2016 goog1le.exe
2016 goog1le.exe
2016 goog1le.exe
2016 goog1le.exe
2016 goog1le.exe
2016 goog1le.exe
2016 goog1le.exe
2016 goog1le.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

goog1le.exe

description pid process

Token: SeDebugPrivilege 2016 goog1le.exe

pid	process
2016	goog1le.exe

pid	process
1124	netsh.exe

pid	process
2016	goog1le.exe
2016	goog1le.exe
2016	goog1le.exe
2016	goog1le.exe
2016	goog1le.exe
2016	goog1le.exe
2016	goog1le.exe
2016	goog1le.exe

description	pid	process
Token: SeDebugPrivilege	2016	goog1le.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exegoog1le.exe

description	pid	process	target process
PID 1976 wrote to memory of 2016	1976	25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe	goog1le.exe
PID 1976 wrote to memory of 2016	1976	25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe	goog1le.exe
PID 1976 wrote to memory of 2016	1976	25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe	goog1le.exe
PID 2016 wrote to memory of 1124	2016	goog1le.exe	netsh.exe
PID 2016 wrote to memory of 1124	2016	goog1le.exe	netsh.exe
PID 2016 wrote to memory of 1124	2016	goog1le.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe
"C:\Users\Admin\AppData\Local\Temp\25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\goog1le.exe
  "C:\Users\Admin\AppData\Local\Temp\goog1le.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\goog1le.exe" "goog1le.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\goog1le.exe

Filesize
228KB

MD5
011bb75fb268a7d8ec0c65176bb18570

SHA1
1ad5b8251012ef4aa1c968c8a97ebdb3eeb48999

SHA256
25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd

SHA512
ecfbca52a9fcc833d3a5a271172e3ef483bbbf076e9255f8922f7434c291d85f3a8967973777a032186f9bc7e57b463cb7d7d9c94b58b1dbb98ffb619b5442c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\goog1le.exe

Filesize
228KB

MD5
011bb75fb268a7d8ec0c65176bb18570

SHA1
1ad5b8251012ef4aa1c968c8a97ebdb3eeb48999

SHA256
25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd

SHA512
ecfbca52a9fcc833d3a5a271172e3ef483bbbf076e9255f8922f7434c291d85f3a8967973777a032186f9bc7e57b463cb7d7d9c94b58b1dbb98ffb619b5442c4

Download Submit
memory/1124-63-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000000F40000-0x0000000000F7E000-memory.dmp

Filesize
248KB

Download
memory/1976-55-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1976-56-0x00000000002F0000-0x0000000000318000-memory.dmp

Filesize
160KB

Download
memory/1976-57-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download
memory/1976-58-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/2016-59-0x0000000000000000-mapping.dmp

Download
memory/2016-62-0x0000000000C90000-0x0000000000CCE000-memory.dmp

Filesize
248KB

Download