njrat | 4099691b6923caf26f04c475c83d2eabbee3167061cb9d683c67cf36e63b31a9

General

Target

2f79aaf512689c9403db74af2edb79ac.exe
Size

484KB
MD5

2f79aaf512689c9403db74af2edb79ac
SHA1

63f197e4139dafa86daa135e910cebb5c515d196
SHA256

4099691b6923caf26f04c475c83d2eabbee3167061cb9d683c67cf36e63b31a9
SHA512

dbcf00436f34a71da3b44ecf16647ffbfb99d307bf7975abacc8c640f78e5a4ec55c014380d626529ef94ae557e01a9f685e3aba9c660e4d02faf38e21a71850
SSDEEP

6144:x/iQb+ckQsH8TDRGKJkSvGUlYG2VT+tr08yZPzkLQsJVQc1VTNN2HMDgtHxyPw5:oQnk3GDYKGcblMT+tr08yZwL1p8Hx+w5

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

6.tcp.ngrok.io:15907

Mutex

55beb0adf3929af15490d2dcbd04f397

Attributes

reg_key
55beb0adf3929af15490d2dcbd04f397
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1424	Server.sfx.exe
2832	Server.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
884	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Server.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2f79aaf512689c9403db74af2edb79ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe
Token: 33	2832	Server.exe
Token: SeIncBasePriorityPrivilege	2832	Server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4456	3824	2f79aaf512689c9403db74af2edb79ac.exe	83
PID 3824 wrote to memory of 4456	3824	2f79aaf512689c9403db74af2edb79ac.exe	83
PID 3824 wrote to memory of 4456	3824	2f79aaf512689c9403db74af2edb79ac.exe	83
PID 4456 wrote to memory of 1424	4456	cmd.exe	86
PID 4456 wrote to memory of 1424	4456	cmd.exe	86
PID 4456 wrote to memory of 1424	4456	cmd.exe	86
PID 1424 wrote to memory of 2832	1424	Server.sfx.exe	89
PID 1424 wrote to memory of 2832	1424	Server.sfx.exe	89
PID 1424 wrote to memory of 2832	1424	Server.sfx.exe	89
PID 2832 wrote to memory of 884	2832	Server.exe	90
PID 2832 wrote to memory of 884	2832	Server.exe	90
PID 2832 wrote to memory of 884	2832	Server.exe	90

C:\Users\Admin\AppData\Local\Temp\2f79aaf512689c9403db74af2edb79ac.exe
"C:\Users\Admin\AppData\Local\Temp\2f79aaf512689c9403db74af2edb79ac.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\srv.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
    Server.sfx.exe -phugorodalegadidier0011
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe" "Server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe

Filesize
322KB

MD5
5e49ee0f614f32c90b839bb108664011

SHA1
dd8affe65d9b27f19a5e4200565741b6acba7dd9

SHA256
654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376

SHA512
2232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe

Filesize
322KB

MD5
5e49ee0f614f32c90b839bb108664011

SHA1
dd8affe65d9b27f19a5e4200565741b6acba7dd9

SHA256
654f683201915e2c158abdd373bdce5974f33defbb940e2304107e6fb4efc376

SHA512
2232d2323497fe643d51fb5d9f7d6f9e7e9db3878971e64bb5085f1b4c0bd142b582f01d246819d8980f18347da2a696c90c27f2c5fac20ee8b88d7f3ea214a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\srv.bat

Filesize
56B

MD5
45727356459051f342d1e74f42e69615

SHA1
c6587b44238bc36f2cd8bf7c5b010fade2ccd1cf

SHA256
de5e75b1b128cf5f9409ea4402ce2b656c34c85818e071938de4451716c28c3a

SHA512
d138801ebd582f24e3959e64cc85599f4333f250273b448b720bcff68d576ff27434242dabe09aba9983d55fe84b14b6c8b1a280f8986f48a0a5e97cf08105c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe

Filesize
37KB

MD5
80b93f5afdc0ba9071bc68f350d55d56

SHA1
a3f5b32dc496685f942052365cb67eb003cbc027

SHA256
2c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29

SHA512
90c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe

Filesize
37KB

MD5
80b93f5afdc0ba9071bc68f350d55d56

SHA1
a3f5b32dc496685f942052365cb67eb003cbc027

SHA256
2c6ae5055c8937432220725bc0b0907967a6151d755f01f87a3de938f6bdfa29

SHA512
90c4a4d02d12980109932f1f7a7966a277e59521ac741f58bf4c6b805a35756f070bf7f941335d9dbf82d3027e35b4f419122fb7a446eb5a912707b032247188

Download Submit
memory/2832-140-0x0000000072E90000-0x0000000073441000-memory.dmp

Filesize
5.7MB

Download
memory/2832-142-0x0000000072E90000-0x0000000073441000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing