njrat | 7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393

Analysis

max time kernel
79s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe
Size

29KB
MD5

07ae3808ff61ee050d7f46ebc7ae8553
SHA1

fcde926f75efadf892e00374f42bace1328a83ad
SHA256

7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393
SHA512

3f688d38dfaec6344475c2f14afc3d91edc69fe29d02f5b0404951c0abde03d7e32b629e48eee4a266209602eead12b0e8b34e264aa3ff710de08502b0d390fe
SSDEEP

384:8hQXpl7dzns8oDw/LRP55/4GWmqDSeXegLGBsbh0w4wlAokw9OhgOL1vYRGOZzIH:8E7Js8oDSJz4wqZXenBKh0p29SgRQl5

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

heroznt1.no-ip.biz:5552

Mutex

043268c986c44a75878ff249a24b122e

Attributes

reg_key
043268c986c44a75878ff249a24b122e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

IDM.exe

pid process

1628 IDM.exe
Loads dropped DLL 1 IoCs

Processes:

7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe

pid process

1784 7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1628	IDM.exe

pid	process
1784	7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe

description	pid	process	target process
PID 1784 wrote to memory of 1628	1784	7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe	IDM.exe
PID 1784 wrote to memory of 1628	1784	7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe	IDM.exe
PID 1784 wrote to memory of 1628	1784	7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe	IDM.exe
PID 1784 wrote to memory of 1628	1784	7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe	IDM.exe

C:\Users\Admin\AppData\Local\Temp\7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe
"C:\Users\Admin\AppData\Local\Temp\7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\IDM.exe
"C:\Users\Admin\AppData\Roaming\IDM.exe"
2⤵
- Executes dropped EXE
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\IDM.exe
Filesize
29KB

MD5
07ae3808ff61ee050d7f46ebc7ae8553

SHA1
fcde926f75efadf892e00374f42bace1328a83ad

SHA256
7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393

SHA512
3f688d38dfaec6344475c2f14afc3d91edc69fe29d02f5b0404951c0abde03d7e32b629e48eee4a266209602eead12b0e8b34e264aa3ff710de08502b0d390fe

Download Submit
C:\Users\Admin\AppData\Roaming\IDM.exe
Filesize
29KB

MD5
07ae3808ff61ee050d7f46ebc7ae8553

SHA1
fcde926f75efadf892e00374f42bace1328a83ad

SHA256
7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393

SHA512
3f688d38dfaec6344475c2f14afc3d91edc69fe29d02f5b0404951c0abde03d7e32b629e48eee4a266209602eead12b0e8b34e264aa3ff710de08502b0d390fe

Download Submit
\Users\Admin\AppData\Roaming\IDM.exe
Filesize
29KB

MD5
07ae3808ff61ee050d7f46ebc7ae8553

SHA1
fcde926f75efadf892e00374f42bace1328a83ad

SHA256
7a9574c4cb8d6e2f0b6ebfa852930f05252664e893db6f32fe8c60c809c07393

SHA512
3f688d38dfaec6344475c2f14afc3d91edc69fe29d02f5b0404951c0abde03d7e32b629e48eee4a266209602eead12b0e8b34e264aa3ff710de08502b0d390fe

Download Submit
memory/1628-58-0x0000000000000000-mapping.dmp

Download
memory/1628-62-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-63-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1784-55-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-57-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-64-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download