njrat | c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc

General

Target

c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe
Size

44KB
MD5

d2b8a106c29dac903ad8ebeb5fc84f6f
SHA1

5b4fe7cd5a6444eaee074d214cfd0ed712d46b3c
SHA256

c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc
SHA512

596ca15887de0cec578609bf966149057dceda5edf732cb9f788536c28a2130d757909e459f0f2f1d3160e632d6431bf5c7a41ee6a2dcbcb8b6bb7a755ffbb04
SSDEEP

768:YHPOFt6gtzDFHZiS1v+yBzrBQJRriq+9Q:uWUylr1vh3BQJRez9Q

Score

10^/10

njrat hacker 8 evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HaCkEr 8

C2

xxx99.zapto.org:88

Mutex

a3d748392c83eb40cc2f4a5e2518c816

Attributes

reg_key
a3d748392c83eb40cc2f4a5e2518c816
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

che0htx7ddBIfTLpGoKV.execonhost.exe

pid process

896 che0htx7ddBIfTLpGoKV.exe
952 conhost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

900 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exeche0htx7ddBIfTLpGoKV.exe

pid process

1880 c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe
896 che0htx7ddBIfTLpGoKV.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
896	che0htx7ddBIfTLpGoKV.exe
952	conhost.exe

pid	process
900	netsh.exe

pid	process
1880	c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe
896	che0htx7ddBIfTLpGoKV.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

conhost.exe

description	pid	process
Token: SeDebugPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe
Token: 33	952	conhost.exe
Token: SeIncBasePriorityPrivilege	952	conhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exeche0htx7ddBIfTLpGoKV.execonhost.exe

description	pid	process	target process
PID 1880 wrote to memory of 896	1880	c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe	che0htx7ddBIfTLpGoKV.exe
PID 1880 wrote to memory of 896	1880	c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe	che0htx7ddBIfTLpGoKV.exe
PID 1880 wrote to memory of 896	1880	c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe	che0htx7ddBIfTLpGoKV.exe
PID 1880 wrote to memory of 896	1880	c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe	che0htx7ddBIfTLpGoKV.exe
PID 896 wrote to memory of 952	896	che0htx7ddBIfTLpGoKV.exe	conhost.exe
PID 896 wrote to memory of 952	896	che0htx7ddBIfTLpGoKV.exe	conhost.exe
PID 896 wrote to memory of 952	896	che0htx7ddBIfTLpGoKV.exe	conhost.exe
PID 896 wrote to memory of 952	896	che0htx7ddBIfTLpGoKV.exe	conhost.exe
PID 952 wrote to memory of 900	952	conhost.exe	netsh.exe
PID 952 wrote to memory of 900	952	conhost.exe	netsh.exe
PID 952 wrote to memory of 900	952	conhost.exe	netsh.exe
PID 952 wrote to memory of 900	952	conhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe
"C:\Users\Admin\AppData\Local\Temp\c16377a25b5e9888be5e7c46663a01a6f361fc0c70ba1b9e538805952490b9bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe
"C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe
Filesize
23KB

MD5
036d59f26793710fd58dbd3e1bd36cf7

SHA1
a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

SHA256
6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

SHA512
3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe
Filesize
23KB

MD5
036d59f26793710fd58dbd3e1bd36cf7

SHA1
a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

SHA256
6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

SHA512
3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
Filesize
23KB

MD5
036d59f26793710fd58dbd3e1bd36cf7

SHA1
a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

SHA256
6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

SHA512
3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
Filesize
23KB

MD5
036d59f26793710fd58dbd3e1bd36cf7

SHA1
a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

SHA256
6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

SHA512
3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

Download Submit
\Users\Admin\AppData\Local\Temp\che0htx7ddBIfTLpGoKV.exe
Filesize
23KB

MD5
036d59f26793710fd58dbd3e1bd36cf7

SHA1
a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

SHA256
6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

SHA512
3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

Download Submit
\Users\Admin\AppData\Local\Temp\conhost.exe
Filesize
23KB

MD5
036d59f26793710fd58dbd3e1bd36cf7

SHA1
a59a1193c66fdc51f7deeaba2a5d61f42c71dc04

SHA256
6521ae85edfdd75130e1401fc9a3040e422e4d5fd5a5f467c0602330adf08c6b

SHA512
3e65e4b7c6b52f9ff7f5853ea844aad55a41582d37d1e5870b92b5fe343d05c1b89ed75750259c897dec7dde62fb35cb709d6ca93c746b5062d9814e0e1487cf

Download Submit
memory/896-62-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/896-57-0x0000000000000000-mapping.dmp

Download
memory/896-69-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/896-70-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/900-72-0x0000000000000000-mapping.dmp

Download
memory/952-64-0x0000000000000000-mapping.dmp

Download
memory/952-68-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/952-71-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-61-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1880-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing