njrat | b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998

General

Target

b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
Size

83KB
MD5

0acd52a5eca19fdfd3c23682a1565500
SHA1

c040443641a2c61b5b67fc3ad235f38cad4d7089
SHA256

b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
SHA512

bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0
SSDEEP

1536:OOdnis2oXPfq+ZCcXrz5izuVId/eVtF/1YadXenbooNPqc3soAI3QN0qSS:OOdnis2oX3q+Mcb11Y/e/F/1YSU5NPqV

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

xplackx.no-ip.biz:1177

Mutex

08f4dc96bbb7af09d1a37fe35c75a42f

Attributes

reg_key
08f4dc96bbb7af09d1a37fe35c75a42f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1548	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
Token: 33	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
Token: SeIncBasePriorityPrivilege	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29
PID 2020 wrote to memory of 976	2020	b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe	29

C:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
"C:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
  C:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
  2⤵
  PID:976

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
1⤵
PID:1104
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  PID:520

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
83KB

MD5
0acd52a5eca19fdfd3c23682a1565500

SHA1
c040443641a2c61b5b67fc3ad235f38cad4d7089

SHA256
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998

SHA512
bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
83KB

MD5
0acd52a5eca19fdfd3c23682a1565500

SHA1
c040443641a2c61b5b67fc3ad235f38cad4d7089

SHA256
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998

SHA512
bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
83KB

MD5
0acd52a5eca19fdfd3c23682a1565500

SHA1
c040443641a2c61b5b67fc3ad235f38cad4d7089

SHA256
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998

SHA512
bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
83KB

MD5
0acd52a5eca19fdfd3c23682a1565500

SHA1
c040443641a2c61b5b67fc3ad235f38cad4d7089

SHA256
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998

SHA512
bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
83KB

MD5
0acd52a5eca19fdfd3c23682a1565500

SHA1
c040443641a2c61b5b67fc3ad235f38cad4d7089

SHA256
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998

SHA512
bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
83KB

MD5
0acd52a5eca19fdfd3c23682a1565500

SHA1
c040443641a2c61b5b67fc3ad235f38cad4d7089

SHA256
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998

SHA512
bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0

Download Submit
memory/520-84-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/976-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-70-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/976-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/976-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1104-71-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-80-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2020-63-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-55-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing