njrat | 4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d

Analysis

max time kernel
153s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe
Size

289KB
MD5

667ff4de94b2bc35524c90f12ef55436
SHA1

ba9871130fffb9bb39f86a9f93f59738b700e071
SHA256

4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d
SHA512

13fe51b7ddeef455fc24207304f1c6d6bc24aed867d1d7821016193cfc5ff89032b20468dd6ef3d2ec06e2af7d23590847e74277c7a029a56b4fe739489c545a
SSDEEP

6144:ftEdn0YCnM1F2YCar1oCXmYqhNmGTjd+uA:lEdn0YCM1QYCaicaNmGPk9

Score

10^/10

njrat hacked xcx trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed XcX

3omdas.no-ip.biz:1177

Mutex

ba4c12bee3027d94da5c81db2d196bfd

Attributes

reg_key
ba4c12bee3027d94da5c81db2d196bfd
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
5092	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4860	4612	WerFault.exe	81
4504	5092	WerFault.exe	85

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 set thread context of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe
2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe
2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe
2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 4612	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	81
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85
PID 2592 wrote to memory of 5092	2592	4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe	85

C:\Users\Admin\AppData\Local\Temp\4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe
"C:\Users\Admin\AppData\Local\Temp\4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 212
    3⤵
    - Program crash
    PID:4860
- C:\Users\Admin\AppData\Local\Temp\4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe
  C:\Users\Admin\AppData\Local\Temp\4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 188
    3⤵
    - Program crash
    PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4612 -ip 4612
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5092 -ip 5092
1⤵
PID:2088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d.exe

Filesize
289KB

MD5
667ff4de94b2bc35524c90f12ef55436

SHA1
ba9871130fffb9bb39f86a9f93f59738b700e071

SHA256
4991a15f80a687e9fba789bdf5a1c2c267d5e081f995f04b1015508a80923d4d

SHA512
13fe51b7ddeef455fc24207304f1c6d6bc24aed867d1d7821016193cfc5ff89032b20468dd6ef3d2ec06e2af7d23590847e74277c7a029a56b4fe739489c545a

Download Submit
memory/2592-132-0x0000000002380000-0x0000000002384000-memory.dmp

Filesize
16KB

Download
memory/5092-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download