njrat | 7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef

Analysis

max time kernel
26s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe
Size

366KB
MD5

2ec5f966af8485c4d445efb4c651e6c7
SHA1

fc9781a10f1fdf02680f6b5d560169ef1aeb24cf
SHA256

7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef
SHA512

af5033db437dde5921568b59c453e4a09d4a145ca6c6ff077718cb96897a5e16a7ba46c25482b7cbb5cc9bd39f68d11d3d550c80180b75c288308e4790b1ea51
SSDEEP

6144:WsxanyfX5k7JlJDlABKUtfU/WQcb5e+CthMmBVuIpB6zk0OfgdGIohT+Y7bOPzAV:H0nyfXuIBDtfuFtCW3akTgdjoh6wbOkV

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

kawtherkahla.ddns.net:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Server.sfx.exeServer.exeTrojan.exe

pid process

628 Server.sfx.exe
836 Server.exe
1700 Trojan.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeServer.sfx.exeServer.exe

pid process

1448 cmd.exe
628 Server.sfx.exe
628 Server.sfx.exe
628 Server.sfx.exe
836 Server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
628	Server.sfx.exe
836	Server.exe
1700	Trojan.exe

pid	process
1448	cmd.exe
628	Server.sfx.exe
628	Server.sfx.exe
628	Server.sfx.exe
836	Server.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.execmd.exeServer.sfx.exeServer.exe

description	pid	process	target process
PID 1488 wrote to memory of 1448	1488	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	cmd.exe
PID 1488 wrote to memory of 1448	1488	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	cmd.exe
PID 1488 wrote to memory of 1448	1488	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	cmd.exe
PID 1488 wrote to memory of 1448	1488	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	cmd.exe
PID 1488 wrote to memory of 1448	1488	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	cmd.exe
PID 1488 wrote to memory of 1448	1488	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	cmd.exe
PID 1488 wrote to memory of 1448	1488	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	cmd.exe
PID 1448 wrote to memory of 628	1448	cmd.exe	Server.sfx.exe
PID 1448 wrote to memory of 628	1448	cmd.exe	Server.sfx.exe
PID 1448 wrote to memory of 628	1448	cmd.exe	Server.sfx.exe
PID 1448 wrote to memory of 628	1448	cmd.exe	Server.sfx.exe
PID 1448 wrote to memory of 628	1448	cmd.exe	Server.sfx.exe
PID 1448 wrote to memory of 628	1448	cmd.exe	Server.sfx.exe
PID 1448 wrote to memory of 628	1448	cmd.exe	Server.sfx.exe
PID 628 wrote to memory of 836	628	Server.sfx.exe	Server.exe
PID 628 wrote to memory of 836	628	Server.sfx.exe	Server.exe
PID 628 wrote to memory of 836	628	Server.sfx.exe	Server.exe
PID 628 wrote to memory of 836	628	Server.sfx.exe	Server.exe
PID 628 wrote to memory of 836	628	Server.sfx.exe	Server.exe
PID 628 wrote to memory of 836	628	Server.sfx.exe	Server.exe
PID 628 wrote to memory of 836	628	Server.sfx.exe	Server.exe
PID 836 wrote to memory of 1700	836	Server.exe	Trojan.exe
PID 836 wrote to memory of 1700	836	Server.exe	Trojan.exe
PID 836 wrote to memory of 1700	836	Server.exe	Trojan.exe
PID 836 wrote to memory of 1700	836	Server.exe	Trojan.exe
PID 836 wrote to memory of 1700	836	Server.exe	Trojan.exe
PID 836 wrote to memory of 1700	836	Server.exe	Trojan.exe
PID 836 wrote to memory of 1700	836	Server.exe	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe
"C:\Users\Admin\AppData\Local\Temp\7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\fud.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
    Server.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
        5⤵
        Executes dropped EXE
        
        PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe

Filesize
218KB

MD5
3b97de6480cd08b8068475bc5f41d9ec

SHA1
be7692bd43a5a271ec8b5df614ea006f0a2998c3

SHA256
2a3651c434b80145d8aef18782266a11848353ef2c4a57126a40c97f557bc68e

SHA512
ec504fd79978201e56f2f9a85dfcff8ed1697a5cee1cf38e45d0b7774d3a66f0427a72e9f5a9ccb0c3a7fe84a2ec18a1ee282c621914c163c5e506c152d6ffab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe

Filesize
218KB

MD5
3b97de6480cd08b8068475bc5f41d9ec

SHA1
be7692bd43a5a271ec8b5df614ea006f0a2998c3

SHA256
2a3651c434b80145d8aef18782266a11848353ef2c4a57126a40c97f557bc68e

SHA512
ec504fd79978201e56f2f9a85dfcff8ed1697a5cee1cf38e45d0b7774d3a66f0427a72e9f5a9ccb0c3a7fe84a2ec18a1ee282c621914c163c5e506c152d6ffab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\fud.bat

Filesize
29B

MD5
2f7a8311a80bac88bdb24f6444cf867b

SHA1
b88808595430620ccb47e1513f9f80a7300672c7

SHA256
42a20ef5dd7d810ca2a2e64c84ce7ebdd1710ea338fed7c22d7b8b4c2ad0edd7

SHA512
c5805844df8d8f1a3bd10f25db72484cda47f7e6f77d7c823c6777497983ebd42a498f3efffddf0e9feeb0bb8c0e5d09c2a5bb1779c65841d8ea4f3ba47ae012

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
\Users\Admin\AppData\Local\Temp\Server.sfx.exe

Filesize
218KB

MD5
3b97de6480cd08b8068475bc5f41d9ec

SHA1
be7692bd43a5a271ec8b5df614ea006f0a2998c3

SHA256
2a3651c434b80145d8aef18782266a11848353ef2c4a57126a40c97f557bc68e

SHA512
ec504fd79978201e56f2f9a85dfcff8ed1697a5cee1cf38e45d0b7774d3a66f0427a72e9f5a9ccb0c3a7fe84a2ec18a1ee282c621914c163c5e506c152d6ffab

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
memory/628-60-0x0000000000000000-mapping.dmp

Download
memory/836-70-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/836-66-0x0000000000000000-mapping.dmp

Download
memory/836-76-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-55-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1700-72-0x0000000000000000-mapping.dmp

Download
memory/1700-77-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download