njrat | 6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f

General

Target

6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exe
Size

180KB
MD5

0a5c7a351889c0416f63ddc78a731e56
SHA1

40a628f39e9e6d5f4f3714fc62b8524941c1e993
SHA256

6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f
SHA512

64092a18df6d47dd62504978d2c4e619627652aac887422886a7c95bf424384dc7ae6949f5c83a9419bdb5dfe0b3d347f2ca64bccf8b88802d767f2b65c4a346
SSDEEP

3072:RvC2jbA29f/zgoX+UNFMX1K9hLKCGb1KzdMVdhx+QPLTZypUBmbCDktybizJ:f39nzgsFIK9hZGbeMVlj4UBmbCAtgil

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

rivax01.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

LocalZDmQSCOCZ_.exeTrojan.exe

pid process

1312 LocalZDmQSCOCZ_.exe
1924 Trojan.exe
Loads dropped DLL 1 IoCs

Processes:

LocalZDmQSCOCZ_.exe

pid process

1312 LocalZDmQSCOCZ_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1312	LocalZDmQSCOCZ_.exe
1924	Trojan.exe

pid	process
1312	LocalZDmQSCOCZ_.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exeLocalZDmQSCOCZ_.exe

description	pid	process	target process
PID 1484 wrote to memory of 1312	1484	6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exe	LocalZDmQSCOCZ_.exe
PID 1484 wrote to memory of 1312	1484	6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exe	LocalZDmQSCOCZ_.exe
PID 1484 wrote to memory of 1312	1484	6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exe	LocalZDmQSCOCZ_.exe
PID 1484 wrote to memory of 1312	1484	6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exe	LocalZDmQSCOCZ_.exe
PID 1312 wrote to memory of 1924	1312	LocalZDmQSCOCZ_.exe	Trojan.exe
PID 1312 wrote to memory of 1924	1312	LocalZDmQSCOCZ_.exe	Trojan.exe
PID 1312 wrote to memory of 1924	1312	LocalZDmQSCOCZ_.exe	Trojan.exe
PID 1312 wrote to memory of 1924	1312	LocalZDmQSCOCZ_.exe	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exe
"C:\Users\Admin\AppData\Local\Temp\6aa69657b903959b5abdc42744653513d6152dd0164e31b8c4aaa2136ced5b5f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\LocalZDmQSCOCZ_.exe
"C:\Users\Admin\AppData\LocalZDmQSCOCZ_.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:1924

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalZDmQSCOCZ_.exe
Filesize
29KB

MD5
da76e9feb76ae6647b9715195830c6e6

SHA1
895d1ea81ec7b0cb3faf9d9f51fa838261bcff13

SHA256
3a184fe74f729b31740fe5cc67bb8f9338b205430c1f77b521b35d4d61f9b127

SHA512
a54b22f8c44254e1ce9d53ddf4cae41d3162c92974702fca250c6faa8d351e3dccd2e4a7ef034e964bbad9ecdd489100a6bf8b1d060cb2994aad21425000f97b

Download Submit
C:\Users\Admin\AppData\LocalZDmQSCOCZ_.exe
Filesize
29KB

MD5
da76e9feb76ae6647b9715195830c6e6

SHA1
895d1ea81ec7b0cb3faf9d9f51fa838261bcff13

SHA256
3a184fe74f729b31740fe5cc67bb8f9338b205430c1f77b521b35d4d61f9b127

SHA512
a54b22f8c44254e1ce9d53ddf4cae41d3162c92974702fca250c6faa8d351e3dccd2e4a7ef034e964bbad9ecdd489100a6bf8b1d060cb2994aad21425000f97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
da76e9feb76ae6647b9715195830c6e6

SHA1
895d1ea81ec7b0cb3faf9d9f51fa838261bcff13

SHA256
3a184fe74f729b31740fe5cc67bb8f9338b205430c1f77b521b35d4d61f9b127

SHA512
a54b22f8c44254e1ce9d53ddf4cae41d3162c92974702fca250c6faa8d351e3dccd2e4a7ef034e964bbad9ecdd489100a6bf8b1d060cb2994aad21425000f97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
da76e9feb76ae6647b9715195830c6e6

SHA1
895d1ea81ec7b0cb3faf9d9f51fa838261bcff13

SHA256
3a184fe74f729b31740fe5cc67bb8f9338b205430c1f77b521b35d4d61f9b127

SHA512
a54b22f8c44254e1ce9d53ddf4cae41d3162c92974702fca250c6faa8d351e3dccd2e4a7ef034e964bbad9ecdd489100a6bf8b1d060cb2994aad21425000f97b

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
da76e9feb76ae6647b9715195830c6e6

SHA1
895d1ea81ec7b0cb3faf9d9f51fa838261bcff13

SHA256
3a184fe74f729b31740fe5cc67bb8f9338b205430c1f77b521b35d4d61f9b127

SHA512
a54b22f8c44254e1ce9d53ddf4cae41d3162c92974702fca250c6faa8d351e3dccd2e4a7ef034e964bbad9ecdd489100a6bf8b1d060cb2994aad21425000f97b

Download Submit
memory/1312-60-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1312-61-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/1312-56-0x0000000000000000-mapping.dmp

Download
memory/1312-69-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-54-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmp

Filesize
10.1MB

Download
memory/1484-59-0x000000001AD10000-0x000000001AD20000-memory.dmp

Filesize
64KB

Download
memory/1484-55-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1924-63-0x0000000000000000-mapping.dmp

Download
memory/1924-67-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-68-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing