njrat | 7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef

General

Target

7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe
Size

366KB
MD5

2ec5f966af8485c4d445efb4c651e6c7
SHA1

fc9781a10f1fdf02680f6b5d560169ef1aeb24cf
SHA256

7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef
SHA512

af5033db437dde5921568b59c453e4a09d4a145ca6c6ff077718cb96897a5e16a7ba46c25482b7cbb5cc9bd39f68d11d3d550c80180b75c288308e4790b1ea51
SSDEEP

6144:WsxanyfX5k7JlJDlABKUtfU/WQcb5e+CthMmBVuIpB6zk0OfgdGIohT+Y7bOPzAV:H0nyfXuIBDtfuFtCW3akTgdjoh6wbOkV

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

kawtherkahla.ddns.net:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 3 IoCs

pid	Process
772	Server.sfx.exe
4936	Server.exe
1448	Trojan.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Server.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1960	944	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	82
PID 944 wrote to memory of 1960	944	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	82
PID 944 wrote to memory of 1960	944	7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe	82
PID 1960 wrote to memory of 772	1960	cmd.exe	85
PID 1960 wrote to memory of 772	1960	cmd.exe	85
PID 1960 wrote to memory of 772	1960	cmd.exe	85
PID 772 wrote to memory of 4936	772	Server.sfx.exe	86
PID 772 wrote to memory of 4936	772	Server.sfx.exe	86
PID 772 wrote to memory of 4936	772	Server.sfx.exe	86
PID 4936 wrote to memory of 1448	4936	Server.exe	87
PID 4936 wrote to memory of 1448	4936	Server.exe	87
PID 4936 wrote to memory of 1448	4936	Server.exe	87

C:\Users\Admin\AppData\Local\Temp\7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe
"C:\Users\Admin\AppData\Local\Temp\7fd1f28c3c49a43cff14302b0d5e790be64412f3b8d142e1df84715cf144cdef.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fud.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
    Server.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
        5⤵
        Executes dropped EXE
        
        PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe

Filesize
218KB

MD5
3b97de6480cd08b8068475bc5f41d9ec

SHA1
be7692bd43a5a271ec8b5df614ea006f0a2998c3

SHA256
2a3651c434b80145d8aef18782266a11848353ef2c4a57126a40c97f557bc68e

SHA512
ec504fd79978201e56f2f9a85dfcff8ed1697a5cee1cf38e45d0b7774d3a66f0427a72e9f5a9ccb0c3a7fe84a2ec18a1ee282c621914c163c5e506c152d6ffab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe

Filesize
218KB

MD5
3b97de6480cd08b8068475bc5f41d9ec

SHA1
be7692bd43a5a271ec8b5df614ea006f0a2998c3

SHA256
2a3651c434b80145d8aef18782266a11848353ef2c4a57126a40c97f557bc68e

SHA512
ec504fd79978201e56f2f9a85dfcff8ed1697a5cee1cf38e45d0b7774d3a66f0427a72e9f5a9ccb0c3a7fe84a2ec18a1ee282c621914c163c5e506c152d6ffab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
5ab8be54f0ff13232e92e1483931f8e3

SHA1
279bea8f3a4593563385283ac40f816583f6130e

SHA256
d7d5eff9f1e9324b0aa98265e2000d409357439d317cd1951d0adf77e3e41a57

SHA512
8a4d7e25260f368072bb6a3e7cd2c02bb44d7879530ae9c6454eb9c0f6cafc6acf3fab06fe1c354b34d21a28182a8896785b07bb4eddb326d9d6be097fdc2264

Download Submit
C:\Users\Admin\AppData\Local\Temp\fud.bat

Filesize
29B

MD5
2f7a8311a80bac88bdb24f6444cf867b

SHA1
b88808595430620ccb47e1513f9f80a7300672c7

SHA256
42a20ef5dd7d810ca2a2e64c84ce7ebdd1710ea338fed7c22d7b8b4c2ad0edd7

SHA512
c5805844df8d8f1a3bd10f25db72484cda47f7e6f77d7c823c6777497983ebd42a498f3efffddf0e9feeb0bb8c0e5d09c2a5bb1779c65841d8ea4f3ba47ae012

Download Submit
memory/1448-144-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4936-140-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4936-145-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing