njrat | 628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2

Analysis

max time kernel
11s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe
Size

55KB
MD5

195b4f3bfd5d08e1507a4600e794d9a7
SHA1

3d93c75012a754c856cafcaa16cf54e872b2f074
SHA256

628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2
SHA512

c6909e2c2b4d4c3caacf4a128bde64559b1cd5e5f4b0438afc9d7f221fb3198c4d9c1e35e84ad4e6dd5cd5ca4966f9db1063baf4e91acd1bb167a64397347e58
SSDEEP

768:zn7cfqXeB+u3cSrL2vPq8Y4Kcrpeu9wrNv1Wrjkfa32rc/DCnw3KR:znCqXeB13cwLiPJBR4u9w3WEfal/J3E

Score

10^/10

njrat hack by fumet07 trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Hack by fumet07

fumeta.noip.me:1177

Mutex

4aabb61fd66d326cabec9304d713c873

Attributes

reg_key
4aabb61fd66d326cabec9304d713c873
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27
PID 836 wrote to memory of 1900	836	628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe	27

C:\Users\Admin\AppData\Local\Temp\628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe
"C:\Users\Admin\AppData\Local\Temp\628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe
  C:\Users\Admin\AppData\Local\Temp\628819f7ea9d61cfab9014f5e91098b4506e42ed4616e073d2c3cfa34a9192e2.exe
  2⤵
  PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-54-0x000007FEF4940000-0x000007FEF5363000-memory.dmp

Filesize
10.1MB

Download
memory/836-55-0x000007FEEE8C0000-0x000007FEEF956000-memory.dmp

Filesize
16.6MB

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download
memory/1900-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download