njrat | 9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74

General

Target

9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe
Size

23KB
MD5

26f5357f3d1f5cf588f0037e47ff507a
SHA1

1feb416dbc2be71eecac5b1d42ef042a81189595
SHA256

9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74
SHA512

3d7ce3b2d5ffef631fb374424dc07cbc8634a772fdbf30dfff978418b16893601d3904da0b0c03fe407232c3fe0bcbb6b29aff7370e5c45e3e7c3286b23e9018
SSDEEP

384:nc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZJ9:le9EJLN/yRpcnu4

Score

10^/10

njrat hacker 8 evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HaCkEr 8

C2

xxx99.zapto.org:88

Mutex

be98a6b58aa4e8e933cb8fa0f193fac6

Attributes

reg_key
be98a6b58aa4e8e933cb8fa0f193fac6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1620 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1684 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe

pid process

2028 9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1620	svchost.exe

pid	process
1684	netsh.exe

pid	process
2028	9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exesvchost.exe

description	pid	process	target process
PID 2028 wrote to memory of 1620	2028	9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe	svchost.exe
PID 2028 wrote to memory of 1620	2028	9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe	svchost.exe
PID 2028 wrote to memory of 1620	2028	9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe	svchost.exe
PID 2028 wrote to memory of 1620	2028	9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe	svchost.exe
PID 1620 wrote to memory of 1684	1620	svchost.exe	netsh.exe
PID 1620 wrote to memory of 1684	1620	svchost.exe	netsh.exe
PID 1620 wrote to memory of 1684	1620	svchost.exe	netsh.exe
PID 1620 wrote to memory of 1684	1620	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe
"C:\Users\Admin\AppData\Local\Temp\9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
23KB

MD5
26f5357f3d1f5cf588f0037e47ff507a

SHA1
1feb416dbc2be71eecac5b1d42ef042a81189595

SHA256
9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74

SHA512
3d7ce3b2d5ffef631fb374424dc07cbc8634a772fdbf30dfff978418b16893601d3904da0b0c03fe407232c3fe0bcbb6b29aff7370e5c45e3e7c3286b23e9018

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
23KB

MD5
26f5357f3d1f5cf588f0037e47ff507a

SHA1
1feb416dbc2be71eecac5b1d42ef042a81189595

SHA256
9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74

SHA512
3d7ce3b2d5ffef631fb374424dc07cbc8634a772fdbf30dfff978418b16893601d3904da0b0c03fe407232c3fe0bcbb6b29aff7370e5c45e3e7c3286b23e9018

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
23KB

MD5
26f5357f3d1f5cf588f0037e47ff507a

SHA1
1feb416dbc2be71eecac5b1d42ef042a81189595

SHA256
9bdbd794aa81073836e9b8903dc3dd3f3d141361ac289cbd78f0c20d9e224d74

SHA512
3d7ce3b2d5ffef631fb374424dc07cbc8634a772fdbf30dfff978418b16893601d3904da0b0c03fe407232c3fe0bcbb6b29aff7370e5c45e3e7c3286b23e9018

Download Submit
memory/1620-57-0x0000000000000000-mapping.dmp

Download
memory/1620-62-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-65-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2028-55-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-61-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing