njrat | fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4

General

Target

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
Size

131KB
MD5

93c3392b91669a01cceb599296c3c2b0
SHA1

fbe8bae801d725dc2d40ce680e14f5b34a5737be
SHA256

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4
SHA512

ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610
SSDEEP

3072:O/fCCPsG9etK87u1JdYVU10PIutREBO9qYDHa4rCcBM2v:OjP2KEhUWPIuPEOAYD64xf

Score

10^/10

njrat yahoo evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

yahoo

C2

127.0.0.1:5552

Mutex

c20dc55207710c29d1db3ad3160138a1

Attributes

reg_key
c20dc55207710c29d1db3ad3160138a1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

yahoo.exe

pid process

1724 yahoo.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1924 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe

pid process

1520 fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1724	yahoo.exe

pid	process
1924	netsh.exe

pid	process
1520	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

yahoo.exe

description	pid	process
Token: SeDebugPrivilege	1724	yahoo.exe
Token: 33	1724	yahoo.exe
Token: SeIncBasePriorityPrivilege	1724	yahoo.exe
Token: 33	1724	yahoo.exe
Token: SeIncBasePriorityPrivilege	1724	yahoo.exe
Token: 33	1724	yahoo.exe
Token: SeIncBasePriorityPrivilege	1724	yahoo.exe
Token: 33	1724	yahoo.exe
Token: SeIncBasePriorityPrivilege	1724	yahoo.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exeyahoo.exe

description	pid	process	target process
PID 1520 wrote to memory of 1724	1520	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe	yahoo.exe
PID 1520 wrote to memory of 1724	1520	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe	yahoo.exe
PID 1520 wrote to memory of 1724	1520	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe	yahoo.exe
PID 1520 wrote to memory of 1724	1520	fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe	yahoo.exe
PID 1724 wrote to memory of 1924	1724	yahoo.exe	netsh.exe
PID 1724 wrote to memory of 1924	1724	yahoo.exe	netsh.exe
PID 1724 wrote to memory of 1924	1724	yahoo.exe	netsh.exe
PID 1724 wrote to memory of 1924	1724	yahoo.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe
"C:\Users\Admin\AppData\Local\Temp\fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
"C:\Users\Admin\AppData\Local\Temp\yahoo.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\yahoo.exe" "yahoo.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
131KB

MD5
93c3392b91669a01cceb599296c3c2b0

SHA1
fbe8bae801d725dc2d40ce680e14f5b34a5737be

SHA256
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4

SHA512
ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610

Download Submit
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
131KB

MD5
93c3392b91669a01cceb599296c3c2b0

SHA1
fbe8bae801d725dc2d40ce680e14f5b34a5737be

SHA256
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4

SHA512
ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610

Download Submit
\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
131KB

MD5
93c3392b91669a01cceb599296c3c2b0

SHA1
fbe8bae801d725dc2d40ce680e14f5b34a5737be

SHA256
fe416e3b6b814dc3a5dc24e6f29f7f6f3aa44654a69f40a3212c96826d182cd4

SHA512
ef4b685c6c75f4f68c49a5ee119576cdec7b4a5abba61d2bca333be18225ac08da6ca8edf91e1bd5fd0fbede4b10b688b53b98a5b26bed7639a71a0a1332a610

Download Submit
memory/1520-54-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/1520-55-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/1520-56-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1520-57-0x0000000001D10000-0x0000000001D38000-memory.dmp

Filesize
160KB

Download
memory/1520-58-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1724-60-0x0000000000000000-mapping.dmp

Download
memory/1724-63-0x0000000000150000-0x0000000000176000-memory.dmp

Filesize
152KB

Download
memory/1924-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing