njrat | aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d

Analysis

max time kernel
41s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
Size

232KB
MD5

078c443bcef55469d0e676bfdb3657da
SHA1

d2f776086636685bbfff14350a4dad829fdfc930
SHA256

aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d
SHA512

078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb
SSDEEP

3072:f6MMA29HPwr/7bn8fgNYg2hilnsf+odkFX4CDlpj3sRpPeQZ3NM:c9vwrX8kY3hino+aCDrIRNeQZN

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

gabrireimice.no-ip.biz:1177

Mutex

7d31449cc24545e5baf7b7e98c5e61d9

Attributes

reg_key
7d31449cc24545e5baf7b7e98c5e61d9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Explorer.exe

pid process

332 Explorer.exe
Loads dropped DLL 1 IoCs

Processes:

aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe

pid process

1120 aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
332	Explorer.exe

pid	process
1120	aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe

description	pid	process	target process
PID 1120 wrote to memory of 332	1120	aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe	Explorer.exe
PID 1120 wrote to memory of 332	1120	aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe	Explorer.exe
PID 1120 wrote to memory of 332	1120	aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe	Explorer.exe
PID 1120 wrote to memory of 332	1120	aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe	Explorer.exe

C:\Users\Admin\AppData\Local\Temp\aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe
"C:\Users\Admin\AppData\Local\Temp\aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\Explorer.exe
"C:\Users\Admin\AppData\Roaming\Explorer.exe"
2⤵
- Executes dropped EXE
PID:332

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
232KB

MD5
078c443bcef55469d0e676bfdb3657da

SHA1
d2f776086636685bbfff14350a4dad829fdfc930

SHA256
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d

SHA512
078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
232KB

MD5
078c443bcef55469d0e676bfdb3657da

SHA1
d2f776086636685bbfff14350a4dad829fdfc930

SHA256
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d

SHA512
078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb

Download Submit
\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
232KB

MD5
078c443bcef55469d0e676bfdb3657da

SHA1
d2f776086636685bbfff14350a4dad829fdfc930

SHA256
aacd16a5525ab0e1e690839933296f051279e11ea39b31e003f5b6cdaf69591d

SHA512
078bbe71d9deea47947932bbc5fb79de21ba812cbb0274194fc347640420a4335cdf6c060de5a5fe4a0f237cd0d295d6131d6795bd1c081df9881b15150193eb

Download Submit
memory/332-56-0x0000000000000000-mapping.dmp

Download
memory/332-61-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1120-60-0x0000000073EC0000-0x000000007446B000-memory.dmp

Filesize
5.7MB

Download