njrat | d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

General

Target

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
Size

120KB
MD5

2784566458b53d0541e566ec4a87cf15
SHA1

5b5c958442ec21134b6d812ebc4a23e12593148a
SHA256

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d
SHA512

a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258
SSDEEP

3072:NXr4D0ly84H/ua83JE3SndfNGPeoWHsUA698TENIDz:NXQH/uf3+CWm/sP69iEeD

Score

10^/10

njrat abo sharef evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

ABo sHaRef

C2

ahmadps1.no-ip.biz:1177

Mutex

03fedc96767daacbbd68dedb83cfdfae

Attributes

reg_key
03fedc96767daacbbd68dedb83cfdfae
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Google chrome.exeGoogle chrome.exe

pid process

3644 Google chrome.exe
692 Google chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4924 netsh.exe

pid	process
3644	Google chrome.exe
692	Google chrome.exe

pid	process
4924	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Google chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03fedc96767daacbbd68dedb83cfdfae = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google chrome.exe\" .."	Google chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\03fedc96767daacbbd68dedb83cfdfae = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google chrome.exe\" .."	Google chrome.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exe

description	pid	process	target process
PID 1808 set thread context of 4568	1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 3644 set thread context of 692	3644	Google chrome.exe	Google chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exeGoogle chrome.exe

pid	process
1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
3644	Google chrome.exe
3644	Google chrome.exe
3644	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe
692	Google chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exeGoogle chrome.exe

description	pid	process
Token: SeDebugPrivilege	1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
Token: SeDebugPrivilege	3644	Google chrome.exe
Token: SeDebugPrivilege	692	Google chrome.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exed80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exeGoogle chrome.exeGoogle chrome.exe

description	pid	process	target process
PID 1808 wrote to memory of 4568	1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1808 wrote to memory of 4568	1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1808 wrote to memory of 4568	1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1808 wrote to memory of 4568	1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 1808 wrote to memory of 4568	1808	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
PID 4568 wrote to memory of 3644	4568	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	Google chrome.exe
PID 4568 wrote to memory of 3644	4568	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	Google chrome.exe
PID 4568 wrote to memory of 3644	4568	d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe	Google chrome.exe
PID 3644 wrote to memory of 692	3644	Google chrome.exe	Google chrome.exe
PID 3644 wrote to memory of 692	3644	Google chrome.exe	Google chrome.exe
PID 3644 wrote to memory of 692	3644	Google chrome.exe	Google chrome.exe
PID 3644 wrote to memory of 692	3644	Google chrome.exe	Google chrome.exe
PID 3644 wrote to memory of 692	3644	Google chrome.exe	Google chrome.exe
PID 692 wrote to memory of 4924	692	Google chrome.exe	netsh.exe
PID 692 wrote to memory of 4924	692	Google chrome.exe	netsh.exe
PID 692 wrote to memory of 4924	692	Google chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
"C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
  C:\Users\Admin\AppData\Local\Temp\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\Google chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\Google chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\Google chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\Google chrome.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google chrome.exe" "Google chrome.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d.exe.log

Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google chrome.exe

Filesize
120KB

MD5
2784566458b53d0541e566ec4a87cf15

SHA1
5b5c958442ec21134b6d812ebc4a23e12593148a

SHA256
d80eba906f804ccde59353ff206e75a29f8ed135060762007e28d502ed2e338d

SHA512
a24d6b7c3313ccd26f37c82e1408707534308096ae214ac3e996a7fc08867dbeb900220834a0c3a23020437c7a856448162fe36f90771dba62ff5b7d0533c258

Download Submit
memory/692-142-0x0000000000000000-mapping.dmp

Download
memory/1808-135-0x0000000007310000-0x000000000731A000-memory.dmp

Filesize
40KB

Download
memory/1808-136-0x00000000097E0000-0x000000000987C000-memory.dmp

Filesize
624KB

Download
memory/1808-132-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/1808-134-0x0000000007340000-0x00000000073D2000-memory.dmp

Filesize
584KB

Download
memory/1808-133-0x00000000077F0000-0x0000000007D94000-memory.dmp

Filesize
5.6MB

Download
memory/3644-139-0x0000000000000000-mapping.dmp

Download
memory/3644-146-0x000000000118D000-0x000000000118F000-memory.dmp

Filesize
8KB

Download
memory/4568-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4568-137-0x0000000000000000-mapping.dmp

Download
memory/4924-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads