njrat | 2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f

General

Target

2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe
Size

710KB
MD5

1d1f0520530466ef7dfb1b7bfef3e589
SHA1

41dc772cd170d40279ad7347837bf7a6ec2d3ee2
SHA256

2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f
SHA512

88ed865d725e6c436fd80a77f8bfcf108a77095f078c0b8f711b8de0782dacaecb5c727729d5e927b4433517516ef5c33927e2f11505931de49d59afe4dad840
SSDEEP

12288:oH7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QuP2rX:obCj2sObHtqQ4Qu+z

Score

10^/10

njrat bot trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bot

C2

smuktnet.ddns.net:5552

Mutex

d5bf5ee18952025404f8d39dc09f66a5

Attributes

reg_key
d5bf5ee18952025404f8d39dc09f66a5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

windows.exe

pid process

1648 windows.exe
Loads dropped DLL 1 IoCs

Processes:

regasm.exe

pid process

968 regasm.exe

pid	process
1648	windows.exe

pid	process
968	regasm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe

description	pid	process	target process
PID 1672 set thread context of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exeregasm.exe

description	pid	process	target process
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 1672 wrote to memory of 968	1672	2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe	regasm.exe
PID 968 wrote to memory of 1648	968	regasm.exe	windows.exe
PID 968 wrote to memory of 1648	968	regasm.exe	windows.exe
PID 968 wrote to memory of 1648	968	regasm.exe	windows.exe
PID 968 wrote to memory of 1648	968	regasm.exe	windows.exe

C:\Users\Admin\AppData\Local\Temp\2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe
"C:\Users\Admin\AppData\Local\Temp\2f0e0aeb71609514832d6e80783518eb0efedaf52fe6abdc9f47270e91b6a33f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672

\??\c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
"c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
3⤵
- Executes dropped EXE
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\windows.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\windows.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/968-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-61-0x000000000040747E-mapping.dmp

Download
memory/968-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-67-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/968-74-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/968-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/968-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1648-69-0x0000000000000000-mapping.dmp

Download
memory/1648-73-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-75-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing