njrat | 2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b

Analysis

max time kernel
45s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe
Size

216KB
MD5

1abd4046c4581e18a04f31fd01c37bc6
SHA1

e3a05f10b52399184714a01a5e3e29696d4345d5
SHA256

2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b
SHA512

ad947e946607fdba605344445d20528e49fbc343a5fef865e96b8af85f917ac7ff5639f44271e6c9b87ad3cdbeba372289426f4a812ed8ce35f26701292da005
SSDEEP

6144:RbRZe1dUZiD78HUynURW5wT5RnR/0ktNJ:XZliD6dnZe9R/

Score

10^/10

njrat trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1724	LocalFYZYoSHdoF.exe
1876	Trojan.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	LocalFYZYoSHdoF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1724	2028	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe	28
PID 2028 wrote to memory of 1724	2028	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe	28
PID 2028 wrote to memory of 1724	2028	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe	28
PID 2028 wrote to memory of 1724	2028	2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe	28
PID 1724 wrote to memory of 1876	1724	LocalFYZYoSHdoF.exe	30
PID 1724 wrote to memory of 1876	1724	LocalFYZYoSHdoF.exe	30
PID 1724 wrote to memory of 1876	1724	LocalFYZYoSHdoF.exe	30
PID 1724 wrote to memory of 1876	1724	LocalFYZYoSHdoF.exe	30

C:\Users\Admin\AppData\Local\Temp\2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe
"C:\Users\Admin\AppData\Local\Temp\2c694cd1fa99b5d049ef82a9fa176bcfa3658ee4e8fd427668667850d9f9bd3b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe
  "C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
    3⤵
    - Executes dropped EXE
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
C:\Users\Admin\AppData\LocalFYZYoSHdoF.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
28KB

MD5
82cd661b57ea77c2a70820c3fb85774a

SHA1
ecc075d50770fce1c484e1b39cb1d69c8524fc94

SHA256
d65bf887f167f882a21e0c6d5c82883830ab4301c63a6349968c6dcf0ede6276

SHA512
7d9a07461378ac7705323911af79824171c2250190b2dded9078d56aa5ef96a391e21d43698bcab852995ab7161fb1185292c702f4f816fb991bbb72db8ad26d

Download Submit
memory/1724-60-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1724-61-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-67-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1876-68-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-54-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmp

Filesize
10.1MB

Download
memory/2028-59-0x000000001ADB0000-0x000000001ADC0000-memory.dmp

Filesize
64KB

Download
memory/2028-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download