njrat | 6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633

General

Target

6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe
Size

155KB
MD5

0b8e7fd231db3a3e757b61a9703e9700
SHA1

fbbc470fd85d4cf37723799c1715a592ee154c27
SHA256

6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633
SHA512

940cb0e6f55a90b3a2035dc1ab4415ffa007da8bdbf7161b71264be67db6c84d8c8cc9569e3a75e382f5c6f2c9067d1cfc1cc8639e0d6e0d4eb458a4f37441f2
SSDEEP

3072:Yf50dqfOSGoskyIjqSpaHR2m6fHaa2o+UtCbC:Yx0oOksijXAVb

Score

10^/10

njrat mr trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Mr

C2

googly95.no-ip.org:81

Mutex

d5a38e9b5f206c41f8851bf04a251d26

Attributes

reg_key
d5a38e9b5f206c41f8851bf04a251d26
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27
PID 1480 wrote to memory of 304	1480	6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe	27

C:\Users\Admin\AppData\Local\Temp\6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe
"C:\Users\Admin\AppData\Local\Temp\6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe
  C:\Users\Admin\AppData\Local\Temp\6290f4f614acabcfab28a0bc2a86e1e7394ebecafc567389690b96489288c633.exe
  2⤵
  PID:304
- - C:\Users\Admin\AppData\Local\Temp\chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
    3⤵
    PID:1072

C:\Users\Admin\AppData\Local\Temp\chrome.exe
C:\Users\Admin\AppData\Local\Temp\chrome.exe
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
19KB

MD5
97ffae6511c503288f3ad92c4e21146c

SHA1
83cd760c81b7d831b34b5f760e3205daf7be044d

SHA256
f8cc135607e4b75244909f6d1f4f1f91c56d8c894b25889add64f68166696076

SHA512
de54e200ba69c1485dde2af6f1fcf5034ddf7a9fbdef7c7e3b36bc0dfa4a7f26d4c54b1e000424189c5e0c85230a1f1f4cafefbd310af2fc52a3b287741cfac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
22KB

MD5
e37c3d6ea0090bf201712243b2500e18

SHA1
17d157192ebd16cd8caaf754bad7e127b8aeab48

SHA256
00e21ef4d734660a3e8710a99275345c275dee4c540b165ab136a1b9574d2525

SHA512
7aef2328407ff4641bbd887001ba8aa159888747fe27edeaf3aa27f6844483576dcb21ef8518b7714f6008a776b2af1d295f952d23f6923fcb9ab4ed46b58b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
12KB

MD5
425e886ad5004a9824b81f0bcf18703e

SHA1
072139bcb1f0db29479370847d13cd7f1e0bc216

SHA256
65ad4fbfe9a48784cdf0e66c9943f504f393a86c133935116bd298e040843a6e

SHA512
4abb0ca9c820fec7157ba1ea34e4eb59c13594e48a05429a60da0877a05b9e85f3e95eb847788f7a3ad041276c3f0d33083d68c5328d2ad6c6b8dc9a7a73a388

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
49KB

MD5
0a018d36fd2bc75a93583a1f0e5bdff9

SHA1
c76de01097b4555edeb0cfcb6b5589ba6a8ce086

SHA256
2aa0d12d54233b755da8eb468119423a9dc1d3fe264fad4296f5f4e34ffce495

SHA512
831c8bcf76074b7cd2b29766bf276b4b23eadef18ff8ef30ece4bbfe5e20e58aba74c1e70efd2fc9c593f223c7efd95759f44403faed67e38612e190ccdf7999

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
39KB

MD5
b7d17eb9c599a4136cd3049ced6c155a

SHA1
2391bb61335a4e10195ccc7da1267c3669bf72a0

SHA256
15e592a251c222cefd8777f37d014b99f7c134c89367a5203bde0985f0bdce3f

SHA512
e2361faf1d89404fafa1bcaece7e45c30e52fa11ddb91fefbb91afa070b2172843d217d1cb3b35d62f676b61309828cc1ba0a9a44b40dff39c6eb5c0d227c888

Download Submit
memory/304-55-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/304-61-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/304-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/304-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1072-66-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1480-54-0x00000000008F0000-0x000000000091E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing