njrat | 355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27

General

Target

355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
Size

343KB
MD5

829b2b6919baa284646f6372f850f7c0
SHA1

57344af11aedf0e879858bf2b8ee5be513a53885
SHA256

355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27
SHA512

dd32163c54da57860a572dae8b4ed1515f8fb892fb92a16c843c928e8604c4dadda772567711dfb23d152649f7849f48c61a0c0687aea587a531f04fb079c53f
SSDEEP

1536:7nMNT2n3G+P9bITfLe5zlhgNkeLe/amg1fgZ1Qvn2GGZvFL6iho1b+nIHIkQExbM:oFo2+P9bITqR+b+4vB+n34Xryp98C3

Score

10^/10

njrat hacker trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

hacker

C2

127.0.0.1:1177

Mutex

ba4c12bee3027d94da5c81db2d196bfd

Attributes

reg_key
ba4c12bee3027d94da5c81db2d196bfd
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1900 svchost.exe

pid	process
1900	svchost.exe

Loads dropped DLL 3 IoCs

Processes:

355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exesvchost.exe

pid	process
2008	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
2008	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
1900	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe

description	pid	process	target process
PID 1708 set thread context of 2008	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exesvchost.exe

pid	process
1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
Token: SeDebugPrivilege	1900	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exesvchost.exe

description	pid	process	target process
PID 1708 wrote to memory of 2008	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
PID 1708 wrote to memory of 2008	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
PID 1708 wrote to memory of 2008	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
PID 1708 wrote to memory of 2008	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
PID 1708 wrote to memory of 2008	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
PID 1708 wrote to memory of 2008	1708	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
PID 2008 wrote to memory of 1900	2008	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	svchost.exe
PID 2008 wrote to memory of 1900	2008	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	svchost.exe
PID 2008 wrote to memory of 1900	2008	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	svchost.exe
PID 2008 wrote to memory of 1900	2008	355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe	svchost.exe
PID 1900 wrote to memory of 896	1900	svchost.exe	svchost.exe
PID 1900 wrote to memory of 896	1900	svchost.exe	svchost.exe
PID 1900 wrote to memory of 896	1900	svchost.exe	svchost.exe
PID 1900 wrote to memory of 896	1900	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
"C:\Users\Admin\AppData\Local\Temp\355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
C:\Users\Admin\AppData\Local\Temp\355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
PID:896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
343KB

MD5
829b2b6919baa284646f6372f850f7c0

SHA1
57344af11aedf0e879858bf2b8ee5be513a53885

SHA256
355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27

SHA512
dd32163c54da57860a572dae8b4ed1515f8fb892fb92a16c843c928e8604c4dadda772567711dfb23d152649f7849f48c61a0c0687aea587a531f04fb079c53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
343KB

MD5
829b2b6919baa284646f6372f850f7c0

SHA1
57344af11aedf0e879858bf2b8ee5be513a53885

SHA256
355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27

SHA512
dd32163c54da57860a572dae8b4ed1515f8fb892fb92a16c843c928e8604c4dadda772567711dfb23d152649f7849f48c61a0c0687aea587a531f04fb079c53f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
343KB

MD5
829b2b6919baa284646f6372f850f7c0

SHA1
57344af11aedf0e879858bf2b8ee5be513a53885

SHA256
355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27

SHA512
dd32163c54da57860a572dae8b4ed1515f8fb892fb92a16c843c928e8604c4dadda772567711dfb23d152649f7849f48c61a0c0687aea587a531f04fb079c53f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
343KB

MD5
829b2b6919baa284646f6372f850f7c0

SHA1
57344af11aedf0e879858bf2b8ee5be513a53885

SHA256
355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27

SHA512
dd32163c54da57860a572dae8b4ed1515f8fb892fb92a16c843c928e8604c4dadda772567711dfb23d152649f7849f48c61a0c0687aea587a531f04fb079c53f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
343KB

MD5
829b2b6919baa284646f6372f850f7c0

SHA1
57344af11aedf0e879858bf2b8ee5be513a53885

SHA256
355675ea1cb2e1cc43308f07d47b71d3452365130fc3cbc9b796a7878f356e27

SHA512
dd32163c54da57860a572dae8b4ed1515f8fb892fb92a16c843c928e8604c4dadda772567711dfb23d152649f7849f48c61a0c0687aea587a531f04fb079c53f

Download Submit
memory/1708-55-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-75-0x00000000000F6000-0x0000000000107000-memory.dmp

Filesize
68KB

Download
memory/1708-74-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1708-71-0x00000000000F6000-0x0000000000107000-memory.dmp

Filesize
68KB

Download
memory/1900-73-0x0000000001F76000-0x0000000001F87000-memory.dmp

Filesize
68KB

Download
memory/1900-65-0x0000000000000000-mapping.dmp

Download
memory/1900-72-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-76-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-77-0x0000000001F76000-0x0000000001F87000-memory.dmp

Filesize
68KB

Download
memory/2008-70-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2008-57-0x0000000000408AEE-mapping.dmp

Download
memory/2008-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2008-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads