njrat | 6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb

General

Target

6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe
Size

149KB
MD5

7aaf6f85efb76651f9f58096c51da8f0
SHA1

5ade845e9c338641172b211a3c5fef6265ba1c8e
SHA256

6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb
SHA512

be0be39bc569db1d19e79a3994f94eff707ee586e7256919bff7001161b45e6c2ef6f2c2a31694e55494cff9b9401a8ef1debdc1d2083484d578341a181aa65f
SSDEEP

1536:X89yVWN812PN1vcbyjvFZYaSQa8Sm6Uq7ng3wSJZliqjzVvX1em:X2CkCiNNc+jdZnr67n47Z91em

Score

10^/10

njrat back evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BACK

C2

mrdos11.no-ip.info:82

Mutex

b783c0e7129c40140a602ecff32029a2

Attributes

reg_key
b783c0e7129c40140a602ecff32029a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
660	sress.exe
1704	sress.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2044	netsh.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe
660	sress.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\b783c0e7129c40140a602ecff32029a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sress.exe\" .."	sress.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b783c0e7129c40140a602ecff32029a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sress.exe\" .."	sress.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 660 set thread context of 1704	660	sress.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe
Token: SeDebugPrivilege	660	sress.exe
Token: SeDebugPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe
Token: 33	1704	sress.exe
Token: SeIncBasePriorityPrivilege	1704	sress.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1364 wrote to memory of 1952	1364	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	26
PID 1952 wrote to memory of 660	1952	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	27
PID 1952 wrote to memory of 660	1952	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	27
PID 1952 wrote to memory of 660	1952	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	27
PID 1952 wrote to memory of 660	1952	6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe	27
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 660 wrote to memory of 1704	660	sress.exe	28
PID 1704 wrote to memory of 2044	1704	sress.exe	29
PID 1704 wrote to memory of 2044	1704	sress.exe	29
PID 1704 wrote to memory of 2044	1704	sress.exe	29
PID 1704 wrote to memory of 2044	1704	sress.exe	29

C:\Users\Admin\AppData\Local\Temp\6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe
"C:\Users\Admin\AppData\Local\Temp\6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe
  C:\Users\Admin\AppData\Local\Temp\6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\sress.exe
    "C:\Users\Admin\AppData\Local\Temp\sress.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\sress.exe
      C:\Users\Admin\AppData\Local\Temp\sress.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sress.exe" "sress.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sress.exe

Filesize
149KB

MD5
7aaf6f85efb76651f9f58096c51da8f0

SHA1
5ade845e9c338641172b211a3c5fef6265ba1c8e

SHA256
6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb

SHA512
be0be39bc569db1d19e79a3994f94eff707ee586e7256919bff7001161b45e6c2ef6f2c2a31694e55494cff9b9401a8ef1debdc1d2083484d578341a181aa65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sress.exe

Filesize
149KB

MD5
7aaf6f85efb76651f9f58096c51da8f0

SHA1
5ade845e9c338641172b211a3c5fef6265ba1c8e

SHA256
6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb

SHA512
be0be39bc569db1d19e79a3994f94eff707ee586e7256919bff7001161b45e6c2ef6f2c2a31694e55494cff9b9401a8ef1debdc1d2083484d578341a181aa65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sress.exe

Filesize
149KB

MD5
7aaf6f85efb76651f9f58096c51da8f0

SHA1
5ade845e9c338641172b211a3c5fef6265ba1c8e

SHA256
6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb

SHA512
be0be39bc569db1d19e79a3994f94eff707ee586e7256919bff7001161b45e6c2ef6f2c2a31694e55494cff9b9401a8ef1debdc1d2083484d578341a181aa65f

Download Submit
\Users\Admin\AppData\Local\Temp\sress.exe

Filesize
149KB

MD5
7aaf6f85efb76651f9f58096c51da8f0

SHA1
5ade845e9c338641172b211a3c5fef6265ba1c8e

SHA256
6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb

SHA512
be0be39bc569db1d19e79a3994f94eff707ee586e7256919bff7001161b45e6c2ef6f2c2a31694e55494cff9b9401a8ef1debdc1d2083484d578341a181aa65f

Download Submit
\Users\Admin\AppData\Local\Temp\sress.exe

Filesize
149KB

MD5
7aaf6f85efb76651f9f58096c51da8f0

SHA1
5ade845e9c338641172b211a3c5fef6265ba1c8e

SHA256
6d32feca089498fa2dd724c15aba575958686d9a7903bb409bbeb7eac81041fb

SHA512
be0be39bc569db1d19e79a3994f94eff707ee586e7256919bff7001161b45e6c2ef6f2c2a31694e55494cff9b9401a8ef1debdc1d2083484d578341a181aa65f

Download Submit
memory/660-75-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-62-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1704-83-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-80-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1952-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1952-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1952-69-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1952-63-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing