njrat | 7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5

General

Target

7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
Size

449KB
MD5

55451c97044f34a04bdec331e8683b60
SHA1

b57ed0ff7ab076e8fd365da17c43e3e41660396d
SHA256

7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5
SHA512

68405cea40e57541ea66ab8573ad59a28df798991b945f7645bfec62e08c735a13001529e870846107c8329ff62b7bafcbfbe15c96e0de7f3c4725f2b9473767
SSDEEP

3072:exH+sKG5uRmeBJe+dcVFsIwvsex0TBGXp6a+bM8m2B+kTJEDPLTOoqDZE/IOIFKR:ep+sv9R4254+bM8m2UkeL3nQclL9

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

aiss123.no-ip.biz:1177

Mutex

babe8364d0b44de2ea6e4bcccd70281e

Attributes

reg_key
babe8364d0b44de2ea6e4bcccd70281e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

2040 server.exe
2016 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1060 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exeserver.exe

pid process

1152 7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
2040 server.exe

pid	process
2040	server.exe
2016	server.exe

pid	process
1060	netsh.exe

pid	process
1152	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
2040	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\babe8364d0b44de2ea6e4bcccd70281e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\babe8364d0b44de2ea6e4bcccd70281e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exeserver.exe

description	pid	process	target process
PID 736 set thread context of 1152	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
PID 2040 set thread context of 2016	2040	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

server.exe

pid process

2016 server.exe
2016 server.exe
2016 server.exe
2016 server.exe
2016 server.exe
2016 server.exe
2016 server.exe
2016 server.exe

pid	process
2016	server.exe
2016	server.exe
2016	server.exe
2016	server.exe
2016	server.exe
2016	server.exe
2016	server.exe
2016	server.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exeserver.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
Token: SeDebugPrivilege	2040	server.exe
Token: SeDebugPrivilege	2016	server.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exeserver.exeserver.exe

description	pid	process	target process
PID 736 wrote to memory of 1152	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
PID 736 wrote to memory of 1152	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
PID 736 wrote to memory of 1152	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
PID 736 wrote to memory of 1152	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
PID 736 wrote to memory of 1152	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
PID 736 wrote to memory of 1152	736	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
PID 1152 wrote to memory of 2040	1152	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	server.exe
PID 1152 wrote to memory of 2040	1152	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	server.exe
PID 1152 wrote to memory of 2040	1152	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	server.exe
PID 1152 wrote to memory of 2040	1152	7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe	server.exe
PID 2040 wrote to memory of 2016	2040	server.exe	server.exe
PID 2040 wrote to memory of 2016	2040	server.exe	server.exe
PID 2040 wrote to memory of 2016	2040	server.exe	server.exe
PID 2040 wrote to memory of 2016	2040	server.exe	server.exe
PID 2040 wrote to memory of 2016	2040	server.exe	server.exe
PID 2040 wrote to memory of 2016	2040	server.exe	server.exe
PID 2016 wrote to memory of 1060	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1060	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1060	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1060	2016	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
"C:\Users\Admin\AppData\Local\Temp\7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
  C:\Users\Admin\AppData\Local\Temp\7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp\server.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
449KB

MD5
55451c97044f34a04bdec331e8683b60

SHA1
b57ed0ff7ab076e8fd365da17c43e3e41660396d

SHA256
7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5

SHA512
68405cea40e57541ea66ab8573ad59a28df798991b945f7645bfec62e08c735a13001529e870846107c8329ff62b7bafcbfbe15c96e0de7f3c4725f2b9473767

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
449KB

MD5
55451c97044f34a04bdec331e8683b60

SHA1
b57ed0ff7ab076e8fd365da17c43e3e41660396d

SHA256
7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5

SHA512
68405cea40e57541ea66ab8573ad59a28df798991b945f7645bfec62e08c735a13001529e870846107c8329ff62b7bafcbfbe15c96e0de7f3c4725f2b9473767

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
449KB

MD5
55451c97044f34a04bdec331e8683b60

SHA1
b57ed0ff7ab076e8fd365da17c43e3e41660396d

SHA256
7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5

SHA512
68405cea40e57541ea66ab8573ad59a28df798991b945f7645bfec62e08c735a13001529e870846107c8329ff62b7bafcbfbe15c96e0de7f3c4725f2b9473767

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
449KB

MD5
55451c97044f34a04bdec331e8683b60

SHA1
b57ed0ff7ab076e8fd365da17c43e3e41660396d

SHA256
7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5

SHA512
68405cea40e57541ea66ab8573ad59a28df798991b945f7645bfec62e08c735a13001529e870846107c8329ff62b7bafcbfbe15c96e0de7f3c4725f2b9473767

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
449KB

MD5
55451c97044f34a04bdec331e8683b60

SHA1
b57ed0ff7ab076e8fd365da17c43e3e41660396d

SHA256
7471608bfd253164064f1c3a81021ba971fab0a53326c9d16f25b80c8559afa5

SHA512
68405cea40e57541ea66ab8573ad59a28df798991b945f7645bfec62e08c735a13001529e870846107c8329ff62b7bafcbfbe15c96e0de7f3c4725f2b9473767

Download Submit
memory/736-55-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/736-56-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/736-54-0x0000000000980000-0x00000000009F6000-memory.dmp

Filesize
472KB

Download
memory/736-76-0x0000000004185000-0x0000000004196000-memory.dmp

Filesize
68KB

Download
memory/1060-80-0x0000000000000000-mapping.dmp

Download
memory/1152-58-0x0000000000408AFE-mapping.dmp

Download
memory/1152-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1152-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1152-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2016-72-0x0000000000408AFE-mapping.dmp

Download
memory/2016-83-0x0000000002385000-0x0000000002396000-memory.dmp

Filesize
68KB

Download
memory/2040-68-0x0000000000160000-0x00000000001D6000-memory.dmp

Filesize
472KB

Download
memory/2040-65-0x0000000000000000-mapping.dmp

Download
memory/2040-78-0x0000000004AD5000-0x0000000004AE6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads