njrat | 4099691b6923caf26f04c475c83d2eabbee3167061cb9d683c67cf36e63b31a9

Analysis

max time kernel
188s
max time network
234s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f79aaf512689c9403db74af2edb79ac.exe
Size

484KB
MD5

2f79aaf512689c9403db74af2edb79ac
SHA1

63f197e4139dafa86daa135e910cebb5c515d196
SHA256

4099691b6923caf26f04c475c83d2eabbee3167061cb9d683c67cf36e63b31a9
SHA512

dbcf00436f34a71da3b44ecf16647ffbfb99d307bf7975abacc8c640f78e5a4ec55c014380d626529ef94ae557e01a9f685e3aba9c660e4d02faf38e21a71850
SSDEEP

6144:x/iQb+ckQsH8TDRGKJkSvGUlYG2VT+tr08yZPzkLQsJVQc1VTNN2HMDgtHxyPw5:oQnk3GDYKGcblMT+tr08yZwL1p8Hx+w5

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

6.tcp.ngrok.io:15907

Mutex

55beb0adf3929af15490d2dcbd04f397

Attributes

reg_key
55beb0adf3929af15490d2dcbd04f397
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1180	Server.sfx.exe
1752	Server.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1876	netsh.exe

Loads dropped DLL 4 IoCs

pid	Process
584	cmd.exe
1180	Server.sfx.exe
1180	Server.sfx.exe
1180	Server.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe
Token: 33	1752	Server.exe
Token: SeIncBasePriorityPrivilege	1752	Server.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 584	952	2f79aaf512689c9403db74af2edb79ac.exe	28
PID 952 wrote to memory of 584	952	2f79aaf512689c9403db74af2edb79ac.exe	28
PID 952 wrote to memory of 584	952	2f79aaf512689c9403db74af2edb79ac.exe	28
PID 952 wrote to memory of 584	952	2f79aaf512689c9403db74af2edb79ac.exe	28
PID 584 wrote to memory of 1180	584	cmd.exe	30
PID 584 wrote to memory of 1180	584	cmd.exe	30
PID 584 wrote to memory of 1180	584	cmd.exe	30
PID 584 wrote to memory of 1180	584	cmd.exe	30
PID 1180 wrote to memory of 1752	1180	Server.sfx.exe	31
PID 1180 wrote to memory of 1752	1180	Server.sfx.exe	31
PID 1180 wrote to memory of 1752	1180	Server.sfx.exe	31
PID 1180 wrote to memory of 1752	1180	Server.sfx.exe	31
PID 1752 wrote to memory of 1876	1752	Server.exe	32
PID 1752 wrote to memory of 1876	1752	Server.exe	32
PID 1752 wrote to memory of 1876	1752	Server.exe	32
PID 1752 wrote to memory of 1876	1752	Server.exe	32

C:\Users\Admin\AppData\Local\Temp\2f79aaf512689c9403db74af2edb79ac.exe
"C:\Users\Admin\AppData\Local\Temp\2f79aaf512689c9403db74af2edb79ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\srv.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
    Server.sfx.exe -phugorodalegadidier0011
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe" "Server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe

Filesize
322KB

MD5
5e49ee0f614f32c90b839bb108664011

SHA1
dd8affe65d9b27f19a5e4200565741b6acba7dd9

SHA256
654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376

SHA512
2232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe

Filesize
322KB

MD5
5e49ee0f614f32c90b839bb108664011

SHA1
dd8affe65d9b27f19a5e4200565741b6acba7dd9

SHA256
654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376

SHA512
2232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\srv.bat

Filesize
56B

MD5
45727356459051f342d1e74f42e69615

SHA1
c6587b44238bc36f2cd8bf7c5b010fade2ccd1cf

SHA256
de5e75b1b128cf5f9409ea4402ce2b656c34c85818e071938de4451716c28c3a

SHA512
d138801ebd582f24e3959e64cc85599f4333f250273b448b720bcff68d576ff27434242dabe09aba9983d55fe84b14b6c8b1a280f8986f48a0a5e97cf08105c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe

Filesize
37KB

MD5
80b93f5afdc0ba9071bc68f350d55d56

SHA1
a3f5b32dc496685f942052365cb67eb003cbc027

SHA256
2c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29

SHA512
90c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe

Filesize
37KB

MD5
80b93f5afdc0ba9071bc68f350d55d56

SHA1
a3f5b32dc496685f942052365cb67eb003cbc027

SHA256
2c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29

SHA512
90c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe

Filesize
322KB

MD5
5e49ee0f614f32c90b839bb108664011

SHA1
dd8affe65d9b27f19a5e4200565741b6acba7dd9

SHA256
654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376

SHA512
2232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe

Filesize
37KB

MD5
80b93f5afdc0ba9071bc68f350d55d56

SHA1
a3f5b32dc496685f942052365cb67eb003cbc027

SHA256
2c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29

SHA512
90c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe

Filesize
37KB

MD5
80b93f5afdc0ba9071bc68f350d55d56

SHA1
a3f5b32dc496685f942052365cb67eb003cbc027

SHA256
2c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29

SHA512
90c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe

Filesize
37KB

MD5
80b93f5afdc0ba9071bc68f350d55d56

SHA1
a3f5b32dc496685f942052365cb67eb003cbc027

SHA256
2c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29

SHA512
90c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188

Download Submit
memory/952-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1752-69-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-72-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download