njrat | c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7

Analysis

max time kernel
2s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7.exe
Size

28KB
MD5

070366b1e13d0db607bf91ce11d3f1a0
SHA1

1b43ac3d2adb907cb22efef2c9e8ad6166a831a0
SHA256

c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7
SHA512

4a139242cf56c5d193d8daf8145dee890436bf9540d0c758aa7d1fc1868339cf6dec2a2361d08820286a9956cd7138fab6ba9537544b722c32470482aeb8a0f3
SSDEEP

384:MaFCtl7Dh+oqIqEXV5HEQTGumqDgN3eH6GBsbh0w4wlAokw9OhgOL1vYRGOZzCZW:m74oqIjlLTAqM3eFBKh0p29SgREW

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

topsayed223.no-ip.biz:1177

Mutex

6af29fbbfed65718b18fac14bbf76b5c

Attributes

reg_key
6af29fbbfed65718b18fac14bbf76b5c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1036	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
1500	c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7.exe
"C:\Users\Admin\AppData\Local\Temp\c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7.exe"
1⤵
- Loads dropped DLL
PID:1500
- C:\Users\Admin\AppData\Roaming\Elsayed.exe
  "C:\Users\Admin\AppData\Roaming\Elsayed.exe"
  2⤵
  PID:876

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Elsayed.exe" "Elsayed.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Elsayed.exe

Filesize
28KB

MD5
070366b1e13d0db607bf91ce11d3f1a0

SHA1
1b43ac3d2adb907cb22efef2c9e8ad6166a831a0

SHA256
c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7

SHA512
4a139242cf56c5d193d8daf8145dee890436bf9540d0c758aa7d1fc1868339cf6dec2a2361d08820286a9956cd7138fab6ba9537544b722c32470482aeb8a0f3

Download Submit
C:\Users\Admin\AppData\Roaming\Elsayed.exe

Filesize
28KB

MD5
070366b1e13d0db607bf91ce11d3f1a0

SHA1
1b43ac3d2adb907cb22efef2c9e8ad6166a831a0

SHA256
c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7

SHA512
4a139242cf56c5d193d8daf8145dee890436bf9540d0c758aa7d1fc1868339cf6dec2a2361d08820286a9956cd7138fab6ba9537544b722c32470482aeb8a0f3

Download Submit
\Users\Admin\AppData\Roaming\Elsayed.exe

Filesize
21KB

MD5
1a90993587bb57b56ca50f8e808f5997

SHA1
539342cc082c8e9df7a505823cb10d5db2d8eb2b

SHA256
80ace5736bb6112da4c0fac72b828e2aae7b9e4a924cf165fe075a8a315ec682

SHA512
87b6115e23cad2337426a938e2d1ef9fb2df5a69913bd70882b5ef21ba2ae4bc97fcde82ae2b103dcc37085af7afabece8aa0a0106258f635a5ce12d9fc34e8b

Download Submit
\Users\Admin\AppData\Roaming\Elsayed.exe

Filesize
28KB

MD5
070366b1e13d0db607bf91ce11d3f1a0

SHA1
1b43ac3d2adb907cb22efef2c9e8ad6166a831a0

SHA256
c91ee9c3b3408d397b2fd36b4f09e715932fdd722a42829ef81451690f1844e7

SHA512
4a139242cf56c5d193d8daf8145dee890436bf9540d0c758aa7d1fc1868339cf6dec2a2361d08820286a9956cd7138fab6ba9537544b722c32470482aeb8a0f3

Download Submit
memory/876-64-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/876-66-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1500-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1500-55-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1500-62-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download