njrat | 1b1000a9049ef7a4b12ff02ebff4ba367f28f6e34bd36d121d721fc4a531c7fb

General

Target

pdf.exe
Size

102KB
MD5

b04423987d7a01ca1bf5b1f8f2b77b0c
SHA1

6468823f6da30059a2750cf2b4599fdb8e450f05
SHA256

8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
SHA512

c709012177a1d05939e92218111a0e08520166179de4353cc576e88e609fdbf556a99afa3175193a4b7d5d5b38f6688458d0e2e50f549e6f159b46f78bc1b295
SSDEEP

1536:TcTbDj6OLC73ybzlr6kI+KEBXiI40n6aDnOae98fAaMGSSpvvKet2Hbq86Dm:TcX6OWqzlUUBSpE6aDOOvvNtP86Dm

Score

10^/10

njrat pony newhacked collection discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

nEwHacKed

C2

slowburn.linkpc.net:6760

Mutex

a5e14c6feeac7389fad3a06801dddd4f

Attributes

reg_key
a5e14c6feeac7389fad3a06801dddd4f
splitter
|'|'|

Extracted

Family

pony

C2

http://slow1234.serveftp.com/duos/gate.php

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\reader\\adobe.exe,explorer.exe"	reg.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

njratbin.exe

pid process

3940 njratbin.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2552 netsh.exe

pid	process
3940	njratbin.exe

pid	process
2552	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4344-139-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4344-142-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4344-145-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4344-148-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4344-150-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4344-152-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pdf.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation pdf.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	pdf.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	pdf.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pdf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

pdf.exe

description pid process target process

PID 744 set thread context of 3848 744 pdf.exe pdf.exe
PID 744 set thread context of 4344 744 pdf.exe pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 744 set thread context of 3848	744	pdf.exe	pdf.exe
PID 744 set thread context of 4344	744	pdf.exe	pdf.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

pdf.exenjratbin.exe

pid	process
744	pdf.exe
744	pdf.exe
744	pdf.exe
744	pdf.exe
744	pdf.exe
744	pdf.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe
3940	njratbin.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

pdf.exepdf.exenjratbin.exe

description	pid	process
Token: SeDebugPrivilege	744	pdf.exe
Token: SeImpersonatePrivilege	4344	pdf.exe
Token: SeTcbPrivilege	4344	pdf.exe
Token: SeChangeNotifyPrivilege	4344	pdf.exe
Token: SeCreateTokenPrivilege	4344	pdf.exe
Token: SeBackupPrivilege	4344	pdf.exe
Token: SeRestorePrivilege	4344	pdf.exe
Token: SeIncreaseQuotaPrivilege	4344	pdf.exe
Token: SeAssignPrimaryTokenPrivilege	4344	pdf.exe
Token: SeDebugPrivilege	3940	njratbin.exe
Token: SeImpersonatePrivilege	4344	pdf.exe
Token: SeTcbPrivilege	4344	pdf.exe
Token: SeChangeNotifyPrivilege	4344	pdf.exe
Token: SeCreateTokenPrivilege	4344	pdf.exe
Token: SeBackupPrivilege	4344	pdf.exe
Token: SeRestorePrivilege	4344	pdf.exe
Token: SeIncreaseQuotaPrivilege	4344	pdf.exe
Token: SeAssignPrimaryTokenPrivilege	4344	pdf.exe
Token: SeImpersonatePrivilege	4344	pdf.exe
Token: SeTcbPrivilege	4344	pdf.exe
Token: SeChangeNotifyPrivilege	4344	pdf.exe
Token: SeCreateTokenPrivilege	4344	pdf.exe
Token: SeBackupPrivilege	4344	pdf.exe
Token: SeRestorePrivilege	4344	pdf.exe
Token: SeIncreaseQuotaPrivilege	4344	pdf.exe
Token: SeAssignPrimaryTokenPrivilege	4344	pdf.exe
Token: SeImpersonatePrivilege	4344	pdf.exe
Token: SeTcbPrivilege	4344	pdf.exe
Token: SeChangeNotifyPrivilege	4344	pdf.exe
Token: SeCreateTokenPrivilege	4344	pdf.exe
Token: SeBackupPrivilege	4344	pdf.exe
Token: SeRestorePrivilege	4344	pdf.exe
Token: SeIncreaseQuotaPrivilege	4344	pdf.exe
Token: SeAssignPrimaryTokenPrivilege	4344	pdf.exe
Token: SeImpersonatePrivilege	4344	pdf.exe
Token: SeTcbPrivilege	4344	pdf.exe
Token: SeChangeNotifyPrivilege	4344	pdf.exe
Token: SeCreateTokenPrivilege	4344	pdf.exe
Token: SeBackupPrivilege	4344	pdf.exe
Token: SeRestorePrivilege	4344	pdf.exe
Token: SeIncreaseQuotaPrivilege	4344	pdf.exe
Token: SeAssignPrimaryTokenPrivilege	4344	pdf.exe
Token: SeImpersonatePrivilege	4344	pdf.exe
Token: SeTcbPrivilege	4344	pdf.exe
Token: SeChangeNotifyPrivilege	4344	pdf.exe
Token: SeCreateTokenPrivilege	4344	pdf.exe
Token: SeBackupPrivilege	4344	pdf.exe
Token: SeRestorePrivilege	4344	pdf.exe
Token: SeIncreaseQuotaPrivilege	4344	pdf.exe
Token: SeAssignPrimaryTokenPrivilege	4344	pdf.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

pdf.execmd.exenjratbin.exe

description	pid	process	target process
PID 744 wrote to memory of 4148	744	pdf.exe	cmd.exe
PID 744 wrote to memory of 4148	744	pdf.exe	cmd.exe
PID 744 wrote to memory of 4148	744	pdf.exe	cmd.exe
PID 4148 wrote to memory of 4100	4148	cmd.exe	reg.exe
PID 4148 wrote to memory of 4100	4148	cmd.exe	reg.exe
PID 4148 wrote to memory of 4100	4148	cmd.exe	reg.exe
PID 744 wrote to memory of 3848	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 3848	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 3848	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 3848	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 3848	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 3848	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 3848	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 4344	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 4344	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 4344	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 4344	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 4344	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 4344	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 4344	744	pdf.exe	pdf.exe
PID 744 wrote to memory of 3940	744	pdf.exe	njratbin.exe
PID 744 wrote to memory of 3940	744	pdf.exe	njratbin.exe
PID 744 wrote to memory of 3940	744	pdf.exe	njratbin.exe
PID 3940 wrote to memory of 2552	3940	njratbin.exe	netsh.exe
PID 3940 wrote to memory of 2552	3940	njratbin.exe	netsh.exe
PID 3940 wrote to memory of 2552	3940	njratbin.exe	netsh.exe

outlook_win_path 1 IoCs

Processes:

pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pdf.exe

C:\Users\Admin\AppData\Local\Temp\pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\reader\adobe.exe,explorer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\reader\adobe.exe,explorer.exe"
3⤵
- Modifies WinLogon for persistence
PID:4100

C:\Users\Admin\AppData\Local\Temp\pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pdf.exe"
2⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pdf.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:4344

C:\Users\Admin\AppData\Local\Temp\njratbin.exe
"C:\Users\Admin\AppData\Local\Temp\njratbin.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\njratbin.exe" "njratbin.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\njratbin.exe
Filesize
29KB

MD5
007a4bd3c704a1ddd7d1b04ee9d91c27

SHA1
60843e7a18316d258afba4690a5ecc62c1045795

SHA256
4442506b3211c38811543e2aad5bf276d075734f7967d83a2b3117bc4bad044a

SHA512
e9678f517dbfd58ea51e93576988660d6447b479a61b478a91de7edf6057825a7a8e08d7a147514c6c9d5c2ef11e469de9ee729db2f95ef96c72eeb7e98a4838

Download Submit
C:\Users\Admin\AppData\Local\Temp\njratbin.exe
Filesize
29KB

MD5
007a4bd3c704a1ddd7d1b04ee9d91c27

SHA1
60843e7a18316d258afba4690a5ecc62c1045795

SHA256
4442506b3211c38811543e2aad5bf276d075734f7967d83a2b3117bc4bad044a

SHA512
e9678f517dbfd58ea51e93576988660d6447b479a61b478a91de7edf6057825a7a8e08d7a147514c6c9d5c2ef11e469de9ee729db2f95ef96c72eeb7e98a4838

Download Submit
memory/744-133-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/744-132-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/744-146-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/2552-147-0x0000000000000000-mapping.dmp

Download
memory/3848-136-0x0000000000000000-mapping.dmp

Download
memory/3940-151-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/3940-149-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/3940-141-0x0000000000000000-mapping.dmp

Download
memory/4100-135-0x0000000000000000-mapping.dmp

Download
memory/4148-134-0x0000000000000000-mapping.dmp

Download
memory/4344-142-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4344-145-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4344-148-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4344-139-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4344-150-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4344-138-0x0000000000000000-mapping.dmp

Download
memory/4344-152-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads