njrat | 2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc

General

Target

2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc.exe
Size

360KB
MD5

759e169a84546b211620d22ddb801874
SHA1

e9a651979706d5270ecec31ab43fe9d687c4868c
SHA256

2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc
SHA512

5f01f33d3c935c533b971d1dc6cb5b7eae8be6a2a7be2b6699f3f8f6e45dc5765ae7665f00e2c10768a7baba7ceac45b5580a4fb407c5262493b30032904cc4e
SSDEEP

6144:Oe20iBi8M0yAmr6DGQedTSkeaHSUh7iONZ2x/EenVHPaLLJmh9fxqnZepp9CJ:8xihLr6DJ2L1ph7MFCLLJIqmp9

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

yazidhack123.no-ip.biz:1177

Mutex

ed6e2bf930f6d35b3ac57c049d10ac2c

Attributes

reg_key
ed6e2bf930f6d35b3ac57c049d10ac2c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1000	LocalTyAwpoxvAB.exe
568	Explorer.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1472	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed6e2bf930f6d35b3ac57c049d10ac2c.exe	Explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed6e2bf930f6d35b3ac57c049d10ac2c.exe	Explorer.exe

Loads dropped DLL 1 IoCs

pid	Process
1000	LocalTyAwpoxvAB.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed6e2bf930f6d35b3ac57c049d10ac2c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Explorer.exe\" .."	Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ed6e2bf930f6d35b3ac57c049d10ac2c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Explorer.exe\" .."	Explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe
568	Explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	Explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1000	1756	2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc.exe	27
PID 1756 wrote to memory of 1000	1756	2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc.exe	27
PID 1756 wrote to memory of 1000	1756	2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc.exe	27
PID 1756 wrote to memory of 1000	1756	2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc.exe	27
PID 1000 wrote to memory of 568	1000	LocalTyAwpoxvAB.exe	29
PID 1000 wrote to memory of 568	1000	LocalTyAwpoxvAB.exe	29
PID 1000 wrote to memory of 568	1000	LocalTyAwpoxvAB.exe	29
PID 1000 wrote to memory of 568	1000	LocalTyAwpoxvAB.exe	29
PID 568 wrote to memory of 1472	568	Explorer.exe	30
PID 568 wrote to memory of 1472	568	Explorer.exe	30
PID 568 wrote to memory of 1472	568	Explorer.exe	30
PID 568 wrote to memory of 1472	568	Explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc.exe
"C:\Users\Admin\AppData\Local\Temp\2b2d14a5b497f65d1735160bdf5b67a74dfdd2ed6f46ba2fe7e30cadf8598ecc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\LocalTyAwpoxvAB.exe
  "C:\Users\Admin\AppData\LocalTyAwpoxvAB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Explorer.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Explorer.exe" "Explorer.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalTyAwpoxvAB.exe

Filesize
29KB

MD5
c39bf6a08c68dd711bcc79eb769c0d90

SHA1
9085bd855aa7be72788d165af8deeb6639e67237

SHA256
0406bd39edbd37956ef1c716ed82f5205a0a1551b9e1a655e24d19c487352a2b

SHA512
6c065acadbff2a2438489e0cfabe85b59aa6195be1cd7c748c7e125f40f040ed80e18e0645fd177e6ea04df53524ab22b36127cd2bbf31fd51a85904a1732721

Download Submit
C:\Users\Admin\AppData\LocalTyAwpoxvAB.exe

Filesize
29KB

MD5
c39bf6a08c68dd711bcc79eb769c0d90

SHA1
9085bd855aa7be72788d165af8deeb6639e67237

SHA256
0406bd39edbd37956ef1c716ed82f5205a0a1551b9e1a655e24d19c487352a2b

SHA512
6c065acadbff2a2438489e0cfabe85b59aa6195be1cd7c748c7e125f40f040ed80e18e0645fd177e6ea04df53524ab22b36127cd2bbf31fd51a85904a1732721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explorer.exe

Filesize
29KB

MD5
c39bf6a08c68dd711bcc79eb769c0d90

SHA1
9085bd855aa7be72788d165af8deeb6639e67237

SHA256
0406bd39edbd37956ef1c716ed82f5205a0a1551b9e1a655e24d19c487352a2b

SHA512
6c065acadbff2a2438489e0cfabe85b59aa6195be1cd7c748c7e125f40f040ed80e18e0645fd177e6ea04df53524ab22b36127cd2bbf31fd51a85904a1732721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explorer.exe

Filesize
29KB

MD5
c39bf6a08c68dd711bcc79eb769c0d90

SHA1
9085bd855aa7be72788d165af8deeb6639e67237

SHA256
0406bd39edbd37956ef1c716ed82f5205a0a1551b9e1a655e24d19c487352a2b

SHA512
6c065acadbff2a2438489e0cfabe85b59aa6195be1cd7c748c7e125f40f040ed80e18e0645fd177e6ea04df53524ab22b36127cd2bbf31fd51a85904a1732721

Download Submit
\Users\Admin\AppData\Local\Temp\Explorer.exe

Filesize
29KB

MD5
c39bf6a08c68dd711bcc79eb769c0d90

SHA1
9085bd855aa7be72788d165af8deeb6639e67237

SHA256
0406bd39edbd37956ef1c716ed82f5205a0a1551b9e1a655e24d19c487352a2b

SHA512
6c065acadbff2a2438489e0cfabe85b59aa6195be1cd7c748c7e125f40f040ed80e18e0645fd177e6ea04df53524ab22b36127cd2bbf31fd51a85904a1732721

Download Submit
memory/568-63-0x0000000000000000-mapping.dmp

Download
memory/568-68-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/568-71-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-60-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1000-61-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-56-0x0000000000000000-mapping.dmp

Download
memory/1000-67-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-69-0x0000000000000000-mapping.dmp

Download
memory/1756-59-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/1756-54-0x000007FEF4A30000-0x000007FEF5453000-memory.dmp

Filesize
10.1MB

Download
memory/1756-55-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing