njrat | 9bb347dce075e62a7df2121b6f413769b564e0b58d4302a2372bedeac6a2880b

General

Target

Remcos 1.7 Full version Cracked.exe
Size

13.2MB
MD5

c00c09e7fa52bc19bd425d71e78ff4cb
SHA1

2cd1a7130a03d4056454733b62e4667a08451262
SHA256

9bb347dce075e62a7df2121b6f413769b564e0b58d4302a2372bedeac6a2880b
SHA512

8d18238fe7c906ddd155b8af3a0d32604aeafaf352ab1947a07f273168740c5971083b157c7e21b74125a7e42d8684db5daba2cb3bc4971ca92f20949828a9d5
SSDEEP

49152:LLxWP/6L37yMNw9R9ZG2ca1ZHk5lPkSMc/iZCFlM/B74CEpTQozIENbVQDVdI+0V:9

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

System

C2

2.tcp.ngrok.io:13817

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

paylod.exeremcos.exeSystem.exe

pid process

1976 paylod.exe
2272 remcos.exe
3584 System.exe

pid	process
1976	paylod.exe
2272	remcos.exe
3584	System.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Remcos 1.7 Full version Cracked.exepaylod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Remcos 1.7 Full version Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	paylod.exe

Drops startup file 2 IoCs

Processes:

System.exepaylod.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	System.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

paylod.exeSystem.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\System.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	System.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

remcos.exe

pid process

2272 remcos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

remcos.exe

pid process

2272 remcos.exe
2272 remcos.exe
2272 remcos.exe
2272 remcos.exe

pid	process
2272	remcos.exe

pid	process
2272	remcos.exe
2272	remcos.exe
2272	remcos.exe
2272	remcos.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

System.exe

description	pid	process
Token: SeDebugPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe
Token: 33	3584	System.exe
Token: SeIncBasePriorityPrivilege	3584	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

2272 remcos.exe

pid	process
2272	remcos.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Remcos 1.7 Full version Cracked.exepaylod.exe

description	pid	process	target process
PID 2976 wrote to memory of 1976	2976	Remcos 1.7 Full version Cracked.exe	paylod.exe
PID 2976 wrote to memory of 1976	2976	Remcos 1.7 Full version Cracked.exe	paylod.exe
PID 2976 wrote to memory of 1976	2976	Remcos 1.7 Full version Cracked.exe	paylod.exe
PID 2976 wrote to memory of 2272	2976	Remcos 1.7 Full version Cracked.exe	remcos.exe
PID 2976 wrote to memory of 2272	2976	Remcos 1.7 Full version Cracked.exe	remcos.exe
PID 2976 wrote to memory of 2272	2976	Remcos 1.7 Full version Cracked.exe	remcos.exe
PID 1976 wrote to memory of 3584	1976	paylod.exe	System.exe
PID 1976 wrote to memory of 3584	1976	paylod.exe	System.exe
PID 1976 wrote to memory of 3584	1976	paylod.exe	System.exe
PID 1976 wrote to memory of 3604	1976	paylod.exe	attrib.exe
PID 1976 wrote to memory of 3604	1976	paylod.exe	attrib.exe
PID 1976 wrote to memory of 3604	1976	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3604 attrib.exe

pid	process
3604	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Remcos 1.7 Full version Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos 1.7 Full version Cracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\ProgramData\System.exe"
3⤵
- Views/modifies file attributes
PID:3604

C:\Users\Admin\AppData\Local\Temp\remcos.exe
"C:\Users\Admin\AppData\Local\Temp\remcos.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\ProgramData\System.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
24bf1ae1d62be5e1283fc4ddc9110dd9

SHA1
7b60b080982e77eb4565dce877236297280fcf36

SHA256
55cc06f563e305e118f8d9d6307e88de5f802cd36f6bdf394e17b95bf852bd69

SHA512
b0b1228c90ac6f795c3ee641c94045023cfc8fea0dba82c37c382cc91376c3b03ca0900c82881d9c8d99363a4fdeca4e8bc758c47730444195d0c52703bef391

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos.exe
Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos.exe
Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
c87a0c01932e2b874bc3b392253a663a

SHA1
51422af62636aaaedfccbe8e4f49ffc027a90989

SHA256
8a2b0b8a4e2bd3a1d8bad6ccd1dd2b92561b9abb7156b6701a6190458507795c

SHA512
ffd135cebd6e00bb32e0fba5361554e617af27556022ab3cb04c43eae8121ebd17d3868bef382061d7cbc993e805e1501bd580bdcead8f77b44f8889ac14c0a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
586210e5f1de944d08dd141fcadd408a

SHA1
0b539a283bfe6c23839a5c44f668af3ae205288d

SHA256
90a7d4cf6b4f075b45da710cf2f1fdfa71d0a654beb240fb74ff968ead06f742

SHA512
4a2ffa2d32f1bbcbfb1d0d76509717b9088ccb99557e47b03b03277524d4f1c6bc419dd91537ffd7e8fee7e427c017de3bec88c80c21c326388efe45c3dccca6

Download Submit
memory/1976-133-0x0000000000000000-mapping.dmp

Download
memory/1976-139-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/1976-149-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/2272-143-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/2272-144-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/2272-141-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/2272-136-0x0000000000000000-mapping.dmp

Download
memory/2272-153-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/2976-132-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/2976-138-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-145-0x0000000000000000-mapping.dmp

Download
memory/3584-152-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-154-0x0000000074640000-0x0000000074BF1000-memory.dmp

Filesize
5.7MB

Download
memory/3604-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads