njrat | 9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe

General

Target

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
Size

1.9MB
MD5

456952d17c871d449afafcce12d7baa1
SHA1

0518c5d91c0a8873d5dd81f9d2866168eef07745
SHA256

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe
SHA512

d45bcc6b0c7dbcef7aa40d600006814fd964ef766a1cfd577f9c336f45cd60f4b102059dafecc74822258998f00fb7201cbb9a648027d01826ff154159af8d06
SSDEEP

49152:b1dlZoFnxOIjuDBhqcTVSSrelkkSeWavYzlM0Rdsh5XI:b1dl2FnxOIjuDBhqcxPeTSe7n0RuPI

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

Server.exeTrojan.exeprocesshacker-2.33-setup.exeprocesshacker-2.33-setup.tmp

pid process

4052 Server.exe
3496 Trojan.exe
3636 processhacker-2.33-setup.exe
2776 processhacker-2.33-setup.tmp

pid	process
4052	Server.exe
3496	Trojan.exe
3636	processhacker-2.33-setup.exe
2776	processhacker-2.33-setup.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exeServer.exeprocesshacker-2.33-setup.exe

description	pid	process	target process
PID 4284 wrote to memory of 4052	4284	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	Server.exe
PID 4284 wrote to memory of 4052	4284	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	Server.exe
PID 4284 wrote to memory of 4052	4284	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	Server.exe
PID 4052 wrote to memory of 3496	4052	Server.exe	Trojan.exe
PID 4052 wrote to memory of 3496	4052	Server.exe	Trojan.exe
PID 4052 wrote to memory of 3496	4052	Server.exe	Trojan.exe
PID 4284 wrote to memory of 3636	4284	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 4284 wrote to memory of 3636	4284	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 4284 wrote to memory of 3636	4284	9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe	processhacker-2.33-setup.exe
PID 3636 wrote to memory of 2776	3636	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 3636 wrote to memory of 2776	3636	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp
PID 3636 wrote to memory of 2776	3636	processhacker-2.33-setup.exe	processhacker-2.33-setup.tmp

C:\Users\Admin\AppData\Local\Temp\9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe
"C:\Users\Admin\AppData\Local\Temp\9f607ac52b81600c5a3beba12a66e195002828cb39399686a55b18d9b73881fe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284

C:\Extracted\Server.exe
"C:\Extracted\Server.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Roaming\Trojan.exe
"C:\Users\Admin\AppData\Roaming\Trojan.exe"
3⤵
- Executes dropped EXE
PID:3496

C:\Extracted\processhacker-2.33-setup.exe
"C:\Extracted\processhacker-2.33-setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmp" /SL5="$320044,1547810,150016,C:\Extracted\processhacker-2.33-setup.exe"
3⤵
- Executes dropped EXE
PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Server.exe
Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
C:\Extracted\Server.exe
Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
C:\Extracted\processhacker-2.33-setup.exe
Filesize
1.8MB

MD5
f7c77350aef13278213e70b5fd6fb017

SHA1
f328286bdf529e3905e8098b8d7558f974d9293c

SHA256
cc6e55bb0db1f065bbf30c87a6dce319f92d1eff00c074c68570571a3acd1ce4

SHA512
444e6e618e3d557ad674770491b2b704a0f96435d7a87a2ab9f9f9457e1ee84b24ae676741bb684c04d8d326cf75909f9dfc47af39675fdbc8425026a7a04e9d

Download Submit
C:\Extracted\processhacker-2.33-setup.exe
Filesize
1.8MB

MD5
f7c77350aef13278213e70b5fd6fb017

SHA1
f328286bdf529e3905e8098b8d7558f974d9293c

SHA256
cc6e55bb0db1f065bbf30c87a6dce319f92d1eff00c074c68570571a3acd1ce4

SHA512
444e6e618e3d557ad674770491b2b704a0f96435d7a87a2ab9f9f9457e1ee84b24ae676741bb684c04d8d326cf75909f9dfc47af39675fdbc8425026a7a04e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmp
Filesize
781KB

MD5
e1d5cd3916914641ec3a04e85dfaa1f7

SHA1
5e3298ce1c2ce613fe51b502d997962033d96751

SHA256
799db3e8e21ed51c137bef6eb0c0dee9838aac6d35bb32cc2056901f5dd38f73

SHA512
15feadf3eedb1175b707e7c4129c503e020e33d369fb8e642d91fae3bdcb08400444660ed420f06bad12e8d9484d9edd05138f8b3b7d1166a0cb3da56a576894

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IS0BP.tmp\processhacker-2.33-setup.tmp
Filesize
781KB

MD5
e1d5cd3916914641ec3a04e85dfaa1f7

SHA1
5e3298ce1c2ce613fe51b502d997962033d96751

SHA256
799db3e8e21ed51c137bef6eb0c0dee9838aac6d35bb32cc2056901f5dd38f73

SHA512
15feadf3eedb1175b707e7c4129c503e020e33d369fb8e642d91fae3bdcb08400444660ed420f06bad12e8d9484d9edd05138f8b3b7d1166a0cb3da56a576894

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe
Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
C:\Users\Admin\AppData\Roaming\Trojan.exe
Filesize
28KB

MD5
6583b4229e56bc11b5dc9e9b37d0b941

SHA1
32c38225f22053381da5994cea08bd3b7c74d942

SHA256
a3c4d25fd2eb1982bd15322445f5e1af181f63be796f63677b59d7665a2dd3dc

SHA512
55c3f75aa657370664efe237a33707c548811e4550689a722bcbdc30e153235c9523f5e4dafcfee6a1ac6c059c1818ccfd0c27d791bb7cb15e370482b9f77669

Download Submit
memory/2776-149-0x0000000000000000-mapping.dmp

Download
memory/3496-142-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/3496-140-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/3496-137-0x0000000000000000-mapping.dmp

Download
memory/3636-143-0x0000000000000000-mapping.dmp

Download
memory/3636-146-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3636-148-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3636-152-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4052-132-0x0000000000000000-mapping.dmp

Download
memory/4052-141-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/4052-136-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/4052-135-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing