njrat | 1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e

General

Target

1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe
Size

565KB
MD5

2dd799f19beed0c4ca1fe6890072ed49
SHA1

1ab76b72bb1de7284c4e980444867876ce90bc0b
SHA256

1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e
SHA512

1cd011696cf22598c76733d51feec134aa665bd3ab12f4c04e94db8cd672395d904822a1f1f6dfe039c99400f7a428ed7e6c759f4da883a60e2269478f39aa51
SSDEEP

12288:f5MhBkgAFOgCCCOsvFYCCCCfCOVBIs1gFheDiwlln/mg6eZA/+x/joyMEq:fFFOgCCCkCCCCfCqBRSFkZ1/mgF1WyML

Score

10^/10

njrat تنم evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

تنم

C2

asel1996.no-ip.biz:1177

Mutex

d5a38e9b5f206c41f8851bf04a251d26

Attributes

reg_key
d5a38e9b5f206c41f8851bf04a251d26
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

chrome.exe

pid process

564 chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

320 netsh.exe

pid	process
320	netsh.exe

Drops startup file 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe

Loads dropped DLL 1 IoCs

Processes:

1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe

pid process

2040 1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe

pid	process
2040	1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exe

pid	process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

chrome.exe

description pid process

Token: SeDebugPrivilege 564 chrome.exe

description	pid	process
Token: SeDebugPrivilege	564	chrome.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exechrome.exe

description	pid	process	target process
PID 2040 wrote to memory of 564	2040	1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe	chrome.exe
PID 2040 wrote to memory of 564	2040	1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe	chrome.exe
PID 2040 wrote to memory of 564	2040	1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe	chrome.exe
PID 2040 wrote to memory of 564	2040	1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe	chrome.exe
PID 564 wrote to memory of 320	564	chrome.exe	netsh.exe
PID 564 wrote to memory of 320	564	chrome.exe	netsh.exe
PID 564 wrote to memory of 320	564	chrome.exe	netsh.exe
PID 564 wrote to memory of 320	564	chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe
"C:\Users\Admin\AppData\Local\Temp\1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
565KB

MD5
2dd799f19beed0c4ca1fe6890072ed49

SHA1
1ab76b72bb1de7284c4e980444867876ce90bc0b

SHA256
1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e

SHA512
1cd011696cf22598c76733d51feec134aa665bd3ab12f4c04e94db8cd672395d904822a1f1f6dfe039c99400f7a428ed7e6c759f4da883a60e2269478f39aa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
565KB

MD5
2dd799f19beed0c4ca1fe6890072ed49

SHA1
1ab76b72bb1de7284c4e980444867876ce90bc0b

SHA256
1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e

SHA512
1cd011696cf22598c76733d51feec134aa665bd3ab12f4c04e94db8cd672395d904822a1f1f6dfe039c99400f7a428ed7e6c759f4da883a60e2269478f39aa51

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
565KB

MD5
2dd799f19beed0c4ca1fe6890072ed49

SHA1
1ab76b72bb1de7284c4e980444867876ce90bc0b

SHA256
1bbdff5a19a1e5d6b99e614c3ac5e91d865437553c255758a63eb48047e8d05e

SHA512
1cd011696cf22598c76733d51feec134aa665bd3ab12f4c04e94db8cd672395d904822a1f1f6dfe039c99400f7a428ed7e6c759f4da883a60e2269478f39aa51

Download Submit
memory/320-62-0x0000000000000000-mapping.dmp

Download
memory/564-57-0x0000000000000000-mapping.dmp

Download
memory/564-64-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/564-65-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-61-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads