njrat | d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

General

Target

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
Size

120KB
MD5

2784566458b53d0541e566ec4a87cf15
SHA1

5b5c958442ec21134b6d812ebc4a23e12593148a
SHA256

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d
SHA512

a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258
SSDEEP

3072:NXr4D0ly84H/ua83JE3SndfNGPeoWHsUA698TENIDz:NXQH/uf3+CWm/sP69iEeD

Score

10^/10

njrat abo sharef evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

ABo sHaRef

C2

ahmadps1.no-ip.biz:1177

Mutex

03fedc96767daacbbd68dedb83cfdfae

Attributes

reg_key
03fedc96767daacbbd68dedb83cfdfae
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Google chrome.exeGoogle chrome.exe

pid process

1044 Google chrome.exe
624 Google chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1004 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exe

pid process

1744 d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
1044 Google chrome.exe

pid	process
1044	Google chrome.exe
624	Google chrome.exe

pid	process
1004	netsh.exe

pid	process
1744	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
1044	Google chrome.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Google chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\03fedc96767daacbbd68dedb83cfdfae = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google chrome.exe\" .."	Google chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\03fedc96767daacbbd68dedb83cfdfae = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google chrome.exe\" .."	Google chrome.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exe

description	pid	process	target process
PID 1720 set thread context of 1744	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1044 set thread context of 624	1044	Google chrome.exe	Google chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exeGoogle chrome.exe

pid	process
1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
1044	Google chrome.exe
1044	Google chrome.exe
1044	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe
624	Google chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exeGoogle chrome.exe

description	pid	process
Token: SeDebugPrivilege	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
Token: SeDebugPrivilege	1044	Google chrome.exe
Token: SeDebugPrivilege	624	Google chrome.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exed80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exeGoogle chrome.exe

description	pid	process	target process
PID 1720 wrote to memory of 1744	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1720 wrote to memory of 1744	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1720 wrote to memory of 1744	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1720 wrote to memory of 1744	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1720 wrote to memory of 1744	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1720 wrote to memory of 1744	1720	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1744 wrote to memory of 1044	1744	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	Google chrome.exe
PID 1744 wrote to memory of 1044	1744	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	Google chrome.exe
PID 1744 wrote to memory of 1044	1744	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	Google chrome.exe
PID 1744 wrote to memory of 1044	1744	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	Google chrome.exe
PID 1044 wrote to memory of 624	1044	Google chrome.exe	Google chrome.exe
PID 1044 wrote to memory of 624	1044	Google chrome.exe	Google chrome.exe
PID 1044 wrote to memory of 624	1044	Google chrome.exe	Google chrome.exe
PID 1044 wrote to memory of 624	1044	Google chrome.exe	Google chrome.exe
PID 1044 wrote to memory of 624	1044	Google chrome.exe	Google chrome.exe
PID 1044 wrote to memory of 624	1044	Google chrome.exe	Google chrome.exe
PID 624 wrote to memory of 1004	624	Google chrome.exe	netsh.exe
PID 624 wrote to memory of 1004	624	Google chrome.exe	netsh.exe
PID 624 wrote to memory of 1004	624	Google chrome.exe	netsh.exe
PID 624 wrote to memory of 1004	624	Google chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
"C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
  C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\Google chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\Google chrome.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\Google chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\Google chrome.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google chrome.exe" "Google chrome.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
memory/624-87-0x0000000004DD5000-0x0000000004DE6000-memory.dmp

Filesize
68KB

Download
memory/624-86-0x0000000004DD5000-0x0000000004DE6000-memory.dmp

Filesize
68KB

Download
memory/624-74-0x0000000000408B1E-mapping.dmp

Download
memory/1004-80-0x0000000000000000-mapping.dmp

Download
memory/1044-67-0x0000000000000000-mapping.dmp

Download
memory/1044-83-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1044-70-0x0000000001360000-0x0000000001384000-memory.dmp

Filesize
144KB

Download
memory/1720-58-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/1720-57-0x0000000000560000-0x00000000005AE000-memory.dmp

Filesize
312KB

Download
memory/1720-82-0x0000000000FB5000-0x0000000000FC6000-memory.dmp

Filesize
68KB

Download
memory/1720-54-0x00000000012D0000-0x00000000012F4000-memory.dmp

Filesize
144KB

Download
memory/1720-84-0x0000000000FB5000-0x0000000000FC6000-memory.dmp

Filesize
68KB

Download
memory/1720-56-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1720-55-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/1744-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-60-0x0000000000408B1E-mapping.dmp

Download
memory/1744-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads