njrat | 2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960

Analysis

max time kernel
168s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe
Size

28KB
MD5

3492d6c98dd85f9abcc6c34cf4491998
SHA1

212d4d385f72d7906e3ea7832e5c720dc392021f
SHA256

2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960
SHA512

bdfaf0e244355b12ffbf6e473a270d5247fbfb8b0960c1e478b866940956b8eb0088e9bc7699ecd0ada85b250224ba059c538618cf6f2ee4f6a8ffcfc8c66e31
SSDEEP

384:WCZ2hJl7tjrMSJIeURd545rCWmqDebDveoEGBsbh0w4wlAokw9OhgOL1vYRGOZzG:VM79MSJ07srcqETe6BKh0p29SgRj+t

Score

10^/10

njrat đǿsħka ħąĉķễr trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Đǿsħka ĦąĈķễr

ahmad-rimawi1998.zapto.org:1188

Mutex

1ffcf52b0cd64d83554855bd6f04fc1f

Attributes

reg_key
1ffcf52b0cd64d83554855bd6f04fc1f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

2128 taskhost.exe

pid	process
2128	taskhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe

description	pid	process	target process
PID 460 wrote to memory of 2128	460	2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe	taskhost.exe
PID 460 wrote to memory of 2128	460	2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe	taskhost.exe
PID 460 wrote to memory of 2128	460	2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe
"C:\Users\Admin\AppData\Local\Temp\2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
2⤵
- Executes dropped EXE
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Filesize
28KB

MD5
3492d6c98dd85f9abcc6c34cf4491998

SHA1
212d4d385f72d7906e3ea7832e5c720dc392021f

SHA256
2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960

SHA512
bdfaf0e244355b12ffbf6e473a270d5247fbfb8b0960c1e478b866940956b8eb0088e9bc7699ecd0ada85b250224ba059c538618cf6f2ee4f6a8ffcfc8c66e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Filesize
28KB

MD5
3492d6c98dd85f9abcc6c34cf4491998

SHA1
212d4d385f72d7906e3ea7832e5c720dc392021f

SHA256
2413b7f8b03acf212c1c9bd092dc8892d74885dc49e2d926d607618f203fa960

SHA512
bdfaf0e244355b12ffbf6e473a270d5247fbfb8b0960c1e478b866940956b8eb0088e9bc7699ecd0ada85b250224ba059c538618cf6f2ee4f6a8ffcfc8c66e31

Download Submit
memory/460-132-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/460-133-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/460-138-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/2128-134-0x0000000000000000-mapping.dmp

Download
memory/2128-137-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/2128-139-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download