njrat | a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2

General

Target

a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe
Size

135KB
MD5

b61d8d07574e0650adb25bdf1c3e6c5f
SHA1

1cc33ddb775273ba5f1639dfff2344d78af65d1d
SHA256

a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2
SHA512

ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4
SSDEEP

768:5qW4V6+yDRpcnugrnskz+09lQk4GzjV0XEc2JP1iK2SwX7R81yqBP:gW4VcDRWugL/SclQBY50XvUP1R1fF

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

C2

maistro.no-ip.org:1177

Mutex

89858a26c3b4f367dbcfa95959e39d35

Attributes

reg_key
89858a26c3b4f367dbcfa95959e39d35
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

ahmed.exe

pid process

1340 ahmed.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

956 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe

pid process

1956 a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1340	ahmed.exe

pid	process
956	netsh.exe

pid	process
1956	a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

ahmed.exe

description	pid	process
Token: SeDebugPrivilege	1340	ahmed.exe
Token: 33	1340	ahmed.exe
Token: SeIncBasePriorityPrivilege	1340	ahmed.exe
Token: 33	1340	ahmed.exe
Token: SeIncBasePriorityPrivilege	1340	ahmed.exe
Token: 33	1340	ahmed.exe
Token: SeIncBasePriorityPrivilege	1340	ahmed.exe
Token: 33	1340	ahmed.exe
Token: SeIncBasePriorityPrivilege	1340	ahmed.exe
Token: 33	1340	ahmed.exe
Token: SeIncBasePriorityPrivilege	1340	ahmed.exe
Token: 33	1340	ahmed.exe
Token: SeIncBasePriorityPrivilege	1340	ahmed.exe
Token: 33	1340	ahmed.exe
Token: SeIncBasePriorityPrivilege	1340	ahmed.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exeahmed.exe

description	pid	process	target process
PID 1956 wrote to memory of 1340	1956	a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe	ahmed.exe
PID 1956 wrote to memory of 1340	1956	a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe	ahmed.exe
PID 1956 wrote to memory of 1340	1956	a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe	ahmed.exe
PID 1956 wrote to memory of 1340	1956	a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe	ahmed.exe
PID 1340 wrote to memory of 956	1340	ahmed.exe	netsh.exe
PID 1340 wrote to memory of 956	1340	ahmed.exe	netsh.exe
PID 1340 wrote to memory of 956	1340	ahmed.exe	netsh.exe
PID 1340 wrote to memory of 956	1340	ahmed.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe
"C:\Users\Admin\AppData\Local\Temp\a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\ahmed.exe
"C:\Users\Admin\AppData\Roaming\ahmed.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ahmed.exe" "ahmed.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ahmed.exe
Filesize
135KB

MD5
b61d8d07574e0650adb25bdf1c3e6c5f

SHA1
1cc33ddb775273ba5f1639dfff2344d78af65d1d

SHA256
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2

SHA512
ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4

Download Submit
C:\Users\Admin\AppData\Roaming\ahmed.exe
Filesize
135KB

MD5
b61d8d07574e0650adb25bdf1c3e6c5f

SHA1
1cc33ddb775273ba5f1639dfff2344d78af65d1d

SHA256
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2

SHA512
ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4

Download Submit
\Users\Admin\AppData\Roaming\ahmed.exe
Filesize
135KB

MD5
b61d8d07574e0650adb25bdf1c3e6c5f

SHA1
1cc33ddb775273ba5f1639dfff2344d78af65d1d

SHA256
a91381bad3f5ef7eb1a95dc7d89dd60dccc6a80389b29c524fb84913b71e1bf2

SHA512
ba82dd009e2321039ad20b2ce5794f530e4c3ff7659d6217505f20722a7a5f5648be8fde3df06d4e7558878eeca15adfbde7eba3a2398105832fcfe521508be4

Download Submit
memory/956-64-0x0000000000000000-mapping.dmp

Download
memory/1340-58-0x0000000000000000-mapping.dmp

Download
memory/1340-63-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1340-66-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-56-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-62-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing