njrat | f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add

General

Target

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
Size

706KB
MD5

7d0221cfad4f0d35c17b7210b005b3ba
SHA1

6785c09aba569fa8c7faa6818d5243fe4e34cb2e
SHA256

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add
SHA512

6b6943150f5580a45065c5ac2902bc41112331f6eca1e5ffbd5f448632375384e2cd0fcb6ce9fe042f1eddde1327e85d83965a170cd84a59bc12d9a6b4c50d9d
SSDEEP

12288:fD9/Y3algourr1tS2Q6bFi84Z5Tdr8Obg5:fh/Y3AgoGSx4yDt

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

sidoa3.no-ip.biz:5552

Mutex

5f2a3c9be5e573301d717ef17ad0d997

Attributes

reg_key
5f2a3c9be5e573301d717ef17ad0d997
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Tempserver.exeserver.exe

pid process

3696 Tempserver.exe
380 server.exe

pid	process
3696	Tempserver.exe
380	server.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exeTempserver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Tempserver.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

description	pid	process	target process
PID 2000 set thread context of 3268	2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

pid	process
2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

description pid process

Token: SeDebugPrivilege 2000 f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

description	pid	process
Token: SeDebugPrivilege	2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exef4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exeTempserver.exe

description	pid	process	target process
PID 2000 wrote to memory of 3268	2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 2000 wrote to memory of 3268	2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 2000 wrote to memory of 3268	2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 2000 wrote to memory of 3268	2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 2000 wrote to memory of 3268	2000	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
PID 3268 wrote to memory of 3696	3268	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	Tempserver.exe
PID 3268 wrote to memory of 3696	3268	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	Tempserver.exe
PID 3268 wrote to memory of 3696	3268	f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe	Tempserver.exe
PID 3696 wrote to memory of 380	3696	Tempserver.exe	server.exe
PID 3696 wrote to memory of 380	3696	Tempserver.exe	server.exe
PID 3696 wrote to memory of 380	3696	Tempserver.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
"C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
C:\Users\Admin\AppData\Local\Temp\f4903c07e2162785d1b9d79fe5acfe8919059e548461959fd5bbf3ff3f560add.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe

Filesize
23KB

MD5
08c2455d2a70b0c5fcc1b512c8846fc4

SHA1
1c8e1cbc8c9d06bf69b485641a002f8da5067c5f

SHA256
f01f3f1e87cad8828460d83ddd74155ebbf67b1b78d7fb22c9355399f6ff0a11

SHA512
8ab2b0287886eec12523ec359ea263090693bc59d718a14e440f515643e6d90ea62c20e66a7e426bd9ddd8bcddef8dfcbc1754b7f472e33b405686e179ae8f71

Download Submit
memory/380-148-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/380-150-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/380-149-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/380-145-0x0000000000000000-mapping.dmp

Download
memory/2000-136-0x0000000007D10000-0x0000000007DAC000-memory.dmp

Filesize
624KB

Download
memory/2000-135-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/2000-132-0x0000000000890000-0x0000000000948000-memory.dmp

Filesize
736KB

Download
memory/2000-134-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/2000-133-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/3268-137-0x0000000000000000-mapping.dmp

Download
memory/3268-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3268-139-0x0000000005520000-0x0000000005576000-memory.dmp

Filesize
344KB

Download
memory/3696-140-0x0000000000000000-mapping.dmp

Download
memory/3696-144-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/3696-143-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download
memory/3696-151-0x000000006F860000-0x000000006FE11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads