njrat | 45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715

General

Target

45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe
Size

532KB
MD5

0e96867b9627a91f834acad0e7b84e25
SHA1

f9840c3a06ae977817ce14c831afd7c4ba7fabab
SHA256

45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715
SHA512

966c3fb0cf56304d5919c894f5a8745156180fd82648b3241373918242791700cbca10f06d0cea49aaf386628a99f64c89df1db041677dc5134fdde17f29b1bd
SSDEEP

6144:g1vZOZy/rCdul/Iw3Vn9dX8lzEmJDl3roqm+kP7zMv893WfIQZKnFWH+Lfw0sh:PZkrCkl/Z9dA7loqcq08I8KFk/h

Score

10^/10

njrat billy evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BILLY

C2

withgod.hopper.pw:770

Mutex

b84a37071759ef5cf75837e93f4b857b

Attributes

reg_key
b84a37071759ef5cf75837e93f4b857b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

1.exe1.exe

pid process

1984 1.exe
520 1.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1800 netsh.exe

pid	process
1984	1.exe
520	1.exe

pid	process
1800	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe

pid	process
2040	45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe
2040	45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1.exe

description pid process target process

PID 1984 set thread context of 520 1984 1.exe 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1984 set thread context of 520	1984	1.exe	1.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

1.exe1.exe

description	pid	process
Token: SeDebugPrivilege	1984	1.exe
Token: SeDebugPrivilege	520	1.exe
Token: 33	520	1.exe
Token: SeIncBasePriorityPrivilege	520	1.exe
Token: 33	520	1.exe
Token: SeIncBasePriorityPrivilege	520	1.exe
Token: 33	520	1.exe
Token: SeIncBasePriorityPrivilege	520	1.exe
Token: 33	520	1.exe
Token: SeIncBasePriorityPrivilege	520	1.exe
Token: 33	520	1.exe
Token: SeIncBasePriorityPrivilege	520	1.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe1.exe1.exe

description	pid	process	target process
PID 2040 wrote to memory of 1984	2040	45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe	1.exe
PID 2040 wrote to memory of 1984	2040	45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe	1.exe
PID 2040 wrote to memory of 1984	2040	45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe	1.exe
PID 2040 wrote to memory of 1984	2040	45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 1984 wrote to memory of 520	1984	1.exe	1.exe
PID 520 wrote to memory of 1800	520	1.exe	netsh.exe
PID 520 wrote to memory of 1800	520	1.exe	netsh.exe
PID 520 wrote to memory of 1800	520	1.exe	netsh.exe
PID 520 wrote to memory of 1800	520	1.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe
"C:\Users\Admin\AppData\Local\Temp\45420f1150a00fc1b74db78200c2d0e593e20a732586de6db59af7ba2a718715.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\mpack\1.exe
"C:\Users\Admin\AppData\Roaming\mpack\1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Roaming\mpack\1.exe
"C:\Users\Admin\AppData\Roaming\mpack\1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mpack\1.exe" "1.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mpack\1.exe

Filesize
288KB

MD5
d4fa7bd15aecc2749c171f5d97426a41

SHA1
0bda5e4cbe7ecec339d411cc5705800ef2e5f181

SHA256
4a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6

SHA512
508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f

Download Submit
C:\Users\Admin\AppData\Roaming\mpack\1.exe

Filesize
288KB

MD5
d4fa7bd15aecc2749c171f5d97426a41

SHA1
0bda5e4cbe7ecec339d411cc5705800ef2e5f181

SHA256
4a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6

SHA512
508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f

Download Submit
C:\Users\Admin\AppData\Roaming\mpack\1.exe

Filesize
288KB

MD5
d4fa7bd15aecc2749c171f5d97426a41

SHA1
0bda5e4cbe7ecec339d411cc5705800ef2e5f181

SHA256
4a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6

SHA512
508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f

Download Submit
\Users\Admin\AppData\Roaming\mpack\1.exe

Filesize
288KB

MD5
d4fa7bd15aecc2749c171f5d97426a41

SHA1
0bda5e4cbe7ecec339d411cc5705800ef2e5f181

SHA256
4a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6

SHA512
508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f

Download Submit
\Users\Admin\AppData\Roaming\mpack\1.exe

Filesize
288KB

MD5
d4fa7bd15aecc2749c171f5d97426a41

SHA1
0bda5e4cbe7ecec339d411cc5705800ef2e5f181

SHA256
4a18bd3ea519399cf10546a69f1feb7a3b59f8688f7e6fc3c323e7971fab85f6

SHA512
508f95802c686f08634a56a8dfc97293de57e4aaa68f179d9201ad4b7c167f63a4d76ef07d6e419c90ced7741cb8cc000c780b813a32334d90af3d9cc104186f

Download Submit
memory/520-68-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-81-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/520-78-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/520-75-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-66-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-73-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/520-70-0x000000000040747E-mapping.dmp

Download
memory/1800-79-0x0000000000000000-mapping.dmp

Download
memory/1984-77-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-58-0x0000000000000000-mapping.dmp

Download
memory/1984-64-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-63-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-55-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-54-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/2040-62-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads