njrat | 65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5

Analysis

max time kernel
10s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe
Size

29KB
MD5

0a704142b5eefeb3f5880bdce31a5668
SHA1

6890b1d90b26b3a32c1f5cf93bd91d916aa40db4
SHA256

65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5
SHA512

e4b8f7bf4a311c5a3f025249c346cc0890d74d60d3765d71546cef4a490380de72e7ddca714b0cc4304ad91e621fc7ef0f8cb0b31bf6b967586e1769f573335d
SSDEEP

384:taFCtl7Dh+oqIqEXV5HEQTGumqDgN3eH6GBsbh0w4wlAokw9OhgOL1vYRGOZzSZG:j74oqIjlLTAqM3eFBKh0p29SgRkG

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

www-avira1.sytes.net:1993

Mutex

93f19dda2412c86ad7520ba4198f39a0

Attributes

reg_key
93f19dda2412c86ad7520ba4198f39a0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

1784 explorer.exe
Loads dropped DLL 1 IoCs

Processes:

65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe

pid process

960 65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1784	explorer.exe

pid	process
960	65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe

description	pid	process	target process
PID 960 wrote to memory of 1784	960	65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe	explorer.exe
PID 960 wrote to memory of 1784	960	65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe	explorer.exe
PID 960 wrote to memory of 1784	960	65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe	explorer.exe
PID 960 wrote to memory of 1784	960	65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe
"C:\Users\Admin\AppData\Local\Temp\65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Roaming\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer.exe"
2⤵
- Executes dropped EXE
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
29KB

MD5
0a704142b5eefeb3f5880bdce31a5668

SHA1
6890b1d90b26b3a32c1f5cf93bd91d916aa40db4

SHA256
65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5

SHA512
e4b8f7bf4a311c5a3f025249c346cc0890d74d60d3765d71546cef4a490380de72e7ddca714b0cc4304ad91e621fc7ef0f8cb0b31bf6b967586e1769f573335d

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
29KB

MD5
0a704142b5eefeb3f5880bdce31a5668

SHA1
6890b1d90b26b3a32c1f5cf93bd91d916aa40db4

SHA256
65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5

SHA512
e4b8f7bf4a311c5a3f025249c346cc0890d74d60d3765d71546cef4a490380de72e7ddca714b0cc4304ad91e621fc7ef0f8cb0b31bf6b967586e1769f573335d

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe

Filesize
29KB

MD5
0a704142b5eefeb3f5880bdce31a5668

SHA1
6890b1d90b26b3a32c1f5cf93bd91d916aa40db4

SHA256
65d846eb83a58df36caae2ee98fdadcc6963736dbad3be9d4fa55cf3b362b3c5

SHA512
e4b8f7bf4a311c5a3f025249c346cc0890d74d60d3765d71546cef4a490380de72e7ddca714b0cc4304ad91e621fc7ef0f8cb0b31bf6b967586e1769f573335d

Download Submit
memory/960-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/960-61-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-57-0x0000000000000000-mapping.dmp

Download
memory/1784-62-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download