Overview

overview

10

Static

static

0261ae7bcf...08.exe

windows7-x64

10

0261ae7bcf...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    312s
  • max time network
    333s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe

  • Size

    616KB

  • MD5

    93bc0b0789dc983fd4d3b1f099d6ca06

  • SHA1

    519f983007ec0e3aaf2bd5274a38dfcb861833fe

  • SHA256

    0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08

  • SHA512

    3fa9207476b52a59c0e59eaa6e38290be85eaf5a8bb102b578a87e19c621c6b790fd6cef7bd7b2597080fe5d51c07cbacc8e01efecaa1c5dc56f8a3137adcdb7

  • SSDEEP

    12288:0sg+XyCpWKqKqKqKqKzKqKqKqKqKltoHGGrjko2N5mZU:6+XGqHG+jko2KZ

Score
10/10
njrathackedtrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

jafares.ddns.net:1177

Mutex

85ce27c90f0ba2b98ceb888e2ca7acde

Attributes
  • reg_key

    85ce27c90f0ba2b98ceb888e2ca7acde

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe
    "C:\Users\Admin\AppData\Local\Temp\0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
      "C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
        C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
        3⤵
        • Executes dropped EXE
        PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
    Filesize

    350KB

    MD5

    39669e5a0b4e4b6b569fb204b6b9eedf

    SHA1

    6b305e9240d5ace4aeb6a528501b7b40b20423b5

    SHA256

    8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

    SHA512

    ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

    Download Submit
  • C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
    Filesize

    350KB

    MD5

    39669e5a0b4e4b6b569fb204b6b9eedf

    SHA1

    6b305e9240d5ace4aeb6a528501b7b40b20423b5

    SHA256

    8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

    SHA512

    ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

    Download Submit
  • C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
    Filesize

    350KB

    MD5

    39669e5a0b4e4b6b569fb204b6b9eedf

    SHA1

    6b305e9240d5ace4aeb6a528501b7b40b20423b5

    SHA256

    8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

    SHA512

    ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

    Download Submit
  • memory/3456-138-0x00000000052B0000-0x0000000005342000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3456-136-0x0000000000850000-0x00000000008AE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/3456-137-0x0000000005B10000-0x00000000060B4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3456-139-0x0000000005260000-0x000000000526A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3456-140-0x0000000005A30000-0x0000000005ACC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3456-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3456-144-0x0000000005559000-0x000000000555F000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3456-145-0x0000000005559000-0x000000000555F000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4396-132-0x00007FFED74E0000-0x00007FFED7F16000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/4920-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4920-142-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download