njrat | 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265

General

Target

625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
Size

541KB
MD5

61a8e83691cb299b433e8d64d67b9a40
SHA1

0141851caeba0713360c2749a45fff89589c3a96
SHA256

625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265
SHA512

b9a449049a3f5c325eec18ff22b4a67825af6e2c593be225225169ee09d6c3985e5e2eca79a145cf8d841d093c943f107b7823f69c653e377124d7ffa819cb5d
SSDEEP

768:/Z1C/HjNmImp8k9RV4+RiHdxOnW5MedsruJDWaS77BKbwexZw32SLg0innjhyVT5:ax/mT9j2WW5MeGD7BKb7+it2N

Score

10^/10

njrat fucked by danger evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Fucked By Danger

C2

127.0.0.1:1991

Mutex

d81f5bf87f47c65c5403827c84b087b7

Attributes

reg_key
d81f5bf87f47c65c5403827c84b087b7
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1952	465.exe
1224	VS.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1168	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
996	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 996	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
Token: SeDebugPrivilege	1224	VS.exe
Token: 33	1224	VS.exe
Token: SeIncBasePriorityPrivilege	1224	VS.exe
Token: 33	1224	VS.exe
Token: SeIncBasePriorityPrivilege	1224	VS.exe
Token: 33	1224	VS.exe
Token: SeIncBasePriorityPrivilege	1224	VS.exe
Token: 33	1224	VS.exe
Token: SeIncBasePriorityPrivilege	1224	VS.exe
Token: 33	1224	VS.exe
Token: SeIncBasePriorityPrivilege	1224	VS.exe
Token: 33	1224	VS.exe
Token: SeIncBasePriorityPrivilege	1224	VS.exe
Token: 33	1224	VS.exe
Token: SeIncBasePriorityPrivilege	1224	VS.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 996	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	28
PID 1640 wrote to memory of 996	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	28
PID 1640 wrote to memory of 996	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	28
PID 1640 wrote to memory of 996	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	28
PID 1640 wrote to memory of 996	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	28
PID 1640 wrote to memory of 996	1640	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	28
PID 996 wrote to memory of 1952	996	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	30
PID 996 wrote to memory of 1952	996	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	30
PID 996 wrote to memory of 1952	996	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	30
PID 996 wrote to memory of 1952	996	625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe	30
PID 1952 wrote to memory of 1224	1952	465.exe	32
PID 1952 wrote to memory of 1224	1952	465.exe	32
PID 1952 wrote to memory of 1224	1952	465.exe	32
PID 1224 wrote to memory of 1168	1224	VS.exe	33
PID 1224 wrote to memory of 1168	1224	VS.exe	33
PID 1224 wrote to memory of 1168	1224	VS.exe	33

C:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
"C:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
  C:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\465.exe
    C:\Users\Admin\AppData\Local\Temp\465.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\VS.exe
      "C:\Users\Admin\AppData\Local\Temp\VS.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\VS.exe" "VS.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\465.exe

Filesize
20KB

MD5
e5410b378e88e3ca80ae401662b1e505

SHA1
7c6fb2ea50c58b2a1e7df1103a47d944feb4eefc

SHA256
016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d

SHA512
4e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\465.exe

Filesize
20KB

MD5
e5410b378e88e3ca80ae401662b1e505

SHA1
7c6fb2ea50c58b2a1e7df1103a47d944feb4eefc

SHA256
016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d

SHA512
4e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VS.exe

Filesize
20KB

MD5
e5410b378e88e3ca80ae401662b1e505

SHA1
7c6fb2ea50c58b2a1e7df1103a47d944feb4eefc

SHA256
016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d

SHA512
4e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VS.exe

Filesize
20KB

MD5
e5410b378e88e3ca80ae401662b1e505

SHA1
7c6fb2ea50c58b2a1e7df1103a47d944feb4eefc

SHA256
016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d

SHA512
4e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4

Download Submit
\Users\Admin\AppData\Local\Temp\465.exe

Filesize
20KB

MD5
e5410b378e88e3ca80ae401662b1e505

SHA1
7c6fb2ea50c58b2a1e7df1103a47d944feb4eefc

SHA256
016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d

SHA512
4e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4

Download Submit
memory/996-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/996-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/996-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1224-76-0x00000000013B0000-0x00000000013BC000-memory.dmp

Filesize
48KB

Download
memory/1640-70-0x0000000004C15000-0x0000000004C26000-memory.dmp

Filesize
68KB

Download
memory/1640-71-0x0000000004C15000-0x0000000004C26000-memory.dmp

Filesize
68KB

Download
memory/1640-56-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/1640-55-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1640-54-0x0000000000C40000-0x0000000000CCE000-memory.dmp

Filesize
568KB

Download
memory/1952-69-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1952-68-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1952-72-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/1952-67-0x0000000001080000-0x000000000108C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing