njrat | 7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004

General

Target

7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
Size

1.2MB
MD5

2aa9a6fedcd536a0863a2040772cf11d
SHA1

2b8e4757d46aa38e5cbafe0cd64cbb4409f09507
SHA256

7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004
SHA512

3fef57b72dfeafba37a1ab78aad232315fca4f078fdd3ef2f84e20f9e9cb99e84ac522a47704ba041f6fcc1d06bd96f41f2c19c61c6fe9b15de6a173a5dfbbd9
SSDEEP

12288:MgadJfTztJr15d2swcOekReZWml4R8cov2tSUJnS9Yss40HQ3TBqqvrLrZTP57l:Yd98+0vAUJnAjBHvr/ZTP57

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

joker1787.no-ip.biz:1984

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Trojan.exeTrojan.exe

pid process

4124 Trojan.exe
220 Trojan.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2224 netsh.exe

pid	process
4124	Trojan.exe
220	Trojan.exe

pid	process
2224	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exeTrojan.exe

description	pid	process	target process
PID 2620 set thread context of 660	2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
PID 4124 set thread context of 220	4124	Trojan.exe	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exeTrojan.exeTrojan.exe

pid	process
2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
4124	Trojan.exe
4124	Trojan.exe
4124	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe
220	Trojan.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exeTrojan.exeTrojan.exe

description	pid	process
Token: SeDebugPrivilege	2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
Token: SeDebugPrivilege	4124	Trojan.exe
Token: SeDebugPrivilege	220	Trojan.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exeTrojan.exeTrojan.exe

description	pid	process	target process
PID 2620 wrote to memory of 660	2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
PID 2620 wrote to memory of 660	2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
PID 2620 wrote to memory of 660	2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
PID 2620 wrote to memory of 660	2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
PID 2620 wrote to memory of 660	2620	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
PID 660 wrote to memory of 4124	660	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	Trojan.exe
PID 660 wrote to memory of 4124	660	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	Trojan.exe
PID 660 wrote to memory of 4124	660	7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe	Trojan.exe
PID 4124 wrote to memory of 220	4124	Trojan.exe	Trojan.exe
PID 4124 wrote to memory of 220	4124	Trojan.exe	Trojan.exe
PID 4124 wrote to memory of 220	4124	Trojan.exe	Trojan.exe
PID 4124 wrote to memory of 220	4124	Trojan.exe	Trojan.exe
PID 4124 wrote to memory of 220	4124	Trojan.exe	Trojan.exe
PID 220 wrote to memory of 2224	220	Trojan.exe	netsh.exe
PID 220 wrote to memory of 2224	220	Trojan.exe	netsh.exe
PID 220 wrote to memory of 2224	220	Trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
"C:\Users\Admin\AppData\Local\Temp\7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
C:\Users\Admin\AppData\Local\Temp\7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004.exe.log

Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
1.2MB

MD5
2aa9a6fedcd536a0863a2040772cf11d

SHA1
2b8e4757d46aa38e5cbafe0cd64cbb4409f09507

SHA256
7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004

SHA512
3fef57b72dfeafba37a1ab78aad232315fca4f078fdd3ef2f84e20f9e9cb99e84ac522a47704ba041f6fcc1d06bd96f41f2c19c61c6fe9b15de6a173a5dfbbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
1.2MB

MD5
2aa9a6fedcd536a0863a2040772cf11d

SHA1
2b8e4757d46aa38e5cbafe0cd64cbb4409f09507

SHA256
7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004

SHA512
3fef57b72dfeafba37a1ab78aad232315fca4f078fdd3ef2f84e20f9e9cb99e84ac522a47704ba041f6fcc1d06bd96f41f2c19c61c6fe9b15de6a173a5dfbbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
1.2MB

MD5
2aa9a6fedcd536a0863a2040772cf11d

SHA1
2b8e4757d46aa38e5cbafe0cd64cbb4409f09507

SHA256
7b3a9805d9948328077b9b66734dfac230e631a969f9f0df9a91d6568c094004

SHA512
3fef57b72dfeafba37a1ab78aad232315fca4f078fdd3ef2f84e20f9e9cb99e84ac522a47704ba041f6fcc1d06bd96f41f2c19c61c6fe9b15de6a173a5dfbbd9

Download Submit
memory/220-143-0x0000000000000000-mapping.dmp

Download
memory/660-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/660-137-0x0000000000000000-mapping.dmp

Download
memory/2224-146-0x0000000000000000-mapping.dmp

Download
memory/2620-132-0x0000000000930000-0x0000000000A3E000-memory.dmp

Filesize
1.1MB

Download
memory/2620-136-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/2620-135-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/2620-134-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/2620-133-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/4124-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads