Overview

overview

10

Static

static

b94255f5ab...1f.exe

windows7-x64

10

b94255f5ab...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe

  • Size

    4.7MB

  • MD5

    1cf6319445434ff3bf912ba624b56b2f

  • SHA1

    c8cf1473082c3f046c2851c73f662585db706ee9

  • SHA256

    b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f

  • SHA512

    47e9f20d6ab5a4d70255b0af31586e478de412a662c35f7398d3b0f96899ef50529d1e716362afc60fe1ea25ccd33fe0054d41aa254b50e0c502ab9510a46929

  • SSDEEP

    98304:nRtl3HelZF7TFtX2/jGop3R6baTwlnzy2T6iELKJ2N3AG+vlD9yqJOW:RfOlZF77XknNRsFVT66AVATvV9h

Score
10/10
njrathackedtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

alaboo20.ddns.net:1177

Mutex

997f3e18461eb88cd8dbaeae467eb195

Attributes
  • reg_key

    997f3e18461eb88cd8dbaeae467eb195

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks for any installed AV software in registry 1 TTPs 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe
    "C:\Users\Admin\AppData\Local\Temp\b94255f5ab14c67dd057e2c789c5d3ac526e25f9deaaf1e9b5462cc553f1f61f.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop SharedAccess
        3⤵
          PID:940
      • C:\crack avast.exe
        "C:\crack avast.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\crack avast.exe
          "C:\crack avast.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=crack avast.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:320
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1940
      • C:\avast_free_antivirus_setup_online.exe
        "C:\avast_free_antivirus_setup_online.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\instup.exe
          "C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\instup.exe" /edition:1 /prod:ais /sfx:lite /sfxstorage:C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks for any installed AV software in registry
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1220

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Security Software Discovery

    1
    T1063

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Setup.log
      Filesize

      2KB

      MD5

      a3c8093019f2536a4d36042c5a29d7f7

      SHA1

      18505384951cd1eb09a0e1875853b82740ece6bb

      SHA256

      7b00ccae6adf73d94a9b3fac8665a68cb678a1c360b554a10b28b26aaad6baab

      SHA512

      af28b28dc73eae8032fd61248059a2a646e36f9dac2902609dfff443f8751a2d4568cb1fdca5204238518076d62c6f9ebf0c4d01449e48c9a8a5b9c7a81497ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\HTMLayout.dll
      Filesize

      3.0MB

      MD5

      a9ff57ec69f8c593aa3712b3c8f02002

      SHA1

      00595f6c7ab499a4034fe9008a7fcc080f319b78

      SHA256

      880e429951d21fe28e2a644b40c267cdf590321ee5eeac3b3eb56547746bf65f

      SHA512

      b5a755bd0a80454b61df8b9c362e2814bde8b1e6252a6dabdb33368bc526cd00f055db942953d6b0bff59ba3bbacbd9d0d7dfa4107de5731d402f5479909001f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\Instup.dll
      Filesize

      7.1MB

      MD5

      1a83fadd95e6c9b759db861616604d44

      SHA1

      ad9768d6e89be10943b7692b2a739c05ec145c4f

      SHA256

      9c3c3cb3f2a36e3483aaede6c6286690c38c7c124e98289b2d6a723fe78a32ec

      SHA512

      1817e9ff454e8145457045a21b8b3aeb9cc7242a8f93bf81a5aeeb30f047d3379c7ba48cd2965f86a598382e7879b314dffd242163536f886e8b6a3098496404

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\avbugreport_ais-7e5.vpx
      Filesize

      500KB

      MD5

      c2025b03923ab2016ce71e58e32cd054

      SHA1

      270bf3ee03aa1b19862ae2ce067d9c666dd9b001

      SHA256

      0e25b2f5c7d6595e89acd1c32b07468b0231c76aeea15b63a5c2bd11a5267202

      SHA512

      9be3660b54095bf8562b5a46ef6a17d783af0acd626cee1638943dd438c054a25f6eabf305ffcacd53360b16c5094cfac8102b480816da603770fc36a7faa313

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\instcont_ais-7e5.vpx
      Filesize

      70KB

      MD5

      d006b646f1d06ec663d2df2da9707284

      SHA1

      d4f92e1994d833255e1bc2c92e3332e09630f25e

      SHA256

      c9eff29ca57a04c22b22bdf1a4e10c4bd36b18ab752cdabd9e224ae4817cc34a

      SHA512

      977accf30985f2eaf901782a0366204651e54ed2c9438c4b211e2425798aff81ea412bf64d6cfb5b1c943fcc4d42087fe9b901da074f9e5e1af2b606230a2993

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\instup.exe
      Filesize

      193KB

      MD5

      2080dcebe27d92f29aab5fcff77613a2

      SHA1

      c2cfe2952ffed46d37cd16dd5a005bbd940e4811

      SHA256

      ebbbb3e92b01f1f1ff6330affa7d8c281ab5bb9aee1c900f5cf1aaf1e6813e42

      SHA512

      e47395e5637d0e806a19e1038e13d6339f699708a97e47531d94c5cee68008eb243991ef808832cf4f6f95e7be058e08ba4c07b658abf0fc5b3d4ba0f53945f5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\instup_ais-7e5.vpx
      Filesize

      2.2MB

      MD5

      7d8c4e7207c70e8a6e7c54bcf4e9a845

      SHA1

      665a46fcceb904ffd32d665fb813d0ecb6c7a01c

      SHA256

      740929c388694611e7f6924e4e0ccbe8c2f868dcdac787153ed7c3202a313c69

      SHA512

      eb1d5f51b275ee04015884c6921d404a3acd53ef99addbfbc51c4273ea1b7b1a5c78af4afd112acd7c9f7f0d95e8e21f6122f1602180b97e5b552bf03a230249

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\prod-ais.vpx
      Filesize

      330B

      MD5

      e0cfb37066531eb874a21c850d567e25

      SHA1

      25fd523740f7496592270279bc9a92b87e50b57c

      SHA256

      62c7b44dcfa48c918f6aea665200e0ab3858abb514f3e2fc5aef459c26a39538

      SHA512

      1b325f76ff8417473576256181ff83c76fd42cf0e54277af363fa26c086eeeda30de7ac102c930ef884afa2745645a30fca233f429b290396abeaaefb41ca546

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\prod-vps.vpx
      Filesize

      429B

      MD5

      d33a89cfba35225a8f2fd946f62858f8

      SHA1

      3e0b074b624287f19691958c30f583632b4a83be

      SHA256

      cb976e54d3ae22af54a13f56c4aa885aca38c78990b95b118d67a694ae4ce221

      SHA512

      4a74b05ce98df4aca09ca7d7414279aff25ed9f5ae6ec632204281ee9d9bf141c02cb50fb4bf629c165fe3bdf7ae5dcb6f0c48d715e384751adad1e941fc8273

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\servers.def
      Filesize

      15KB

      MD5

      16aef26a5ca92e7314a3c98b2c5667ec

      SHA1

      81c8c23181323b09ee1ccfbd6aa7a5c433b890bb

      SHA256

      e7f778dea1137ce873416388232ced3329b4d12d8b9a1772fb1de404d7919ea2

      SHA512

      4e39245720d633f0535e947237c2e611239f150cc8162a67c8dc3a8be6b6d5a12cf0542fd04769c7129aa174117ebb0f877d94477179327bb7ab605fb2a67375

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\servers.def.vpx
      Filesize

      1KB

      MD5

      aeac181ec0aa935dfc43856703b535fc

      SHA1

      548aff7cc3e14c2ab9bf784332b2ab93bcc7099c

      SHA256

      c96fcce5065c022d7a8ad4a0f51a740583d16a398d3511a2521bc32f04a1fc6a

      SHA512

      8d11608b966216bdae6285aff48ef9aa1d2cbcacdbf36600f3b9698bf0e9ea50bfb3c6ab73159f530de0d74d4ed271488b01f91710ca7843eeb98594138f704e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EK8Z9G7H.txt
      Filesize

      603B

      MD5

      0cbc84751fbeef636abfb6f5063e8792

      SHA1

      85183bf551d1d36f13da26ca4bcc0b71e3214d56

      SHA256

      1508cb1b0bb16801b1803646999c7fa8011e54abd822ef13b76f057e5ed40a17

      SHA512

      72ad62d2b133a20511e20af23a427c2b4d1912ed4a5f20a29d3ce7a09f74b7d9ccd3b4d7e8408a9ec7cc5b3911589ac221643bfb727b070e72d84b82cc985fbd

      Download Submit
    • C:\avast_free_antivirus_setup_online.exe
      Filesize

      4.6MB

      MD5

      4af4d1d156df61fc7364d1193862a068

      SHA1

      5810199150ca3f0664cdbb28e27a01a8ed2de4ff

      SHA256

      8ec99abde77997b132be9ed13d8c927428754bf95f49c0167b42427df83c7c3c

      SHA512

      1fcc72b652e084294d9a4b425d58826bc2b777f168f238761da819a5dd2f05847360adab1da4b65487f6d5cf1095344b5b0f1fea6bd233cab642699d069d66d7

      Download Submit
    • C:\avast_free_antivirus_setup_online.exe
      Filesize

      4.6MB

      MD5

      4af4d1d156df61fc7364d1193862a068

      SHA1

      5810199150ca3f0664cdbb28e27a01a8ed2de4ff

      SHA256

      8ec99abde77997b132be9ed13d8c927428754bf95f49c0167b42427df83c7c3c

      SHA512

      1fcc72b652e084294d9a4b425d58826bc2b777f168f238761da819a5dd2f05847360adab1da4b65487f6d5cf1095344b5b0f1fea6bd233cab642699d069d66d7

      Download Submit
    • C:\crack avast.exe
      Filesize

      46KB

      MD5

      e079e9f1e4546e1d06d9f620e74a22b5

      SHA1

      b7704ae276c4b76f33799b533f4df83f3f81494a

      SHA256

      c0916ec3cd6555759e285e3f24056e7338e3e331a8b04b14d2a10c64ff4c16e5

      SHA512

      07b95f49138fa49e0694bbd4badacbc088013a74e8bbdfcb6e20743b5bd37153791179e892f5f90e8bd457da9f60f21ee32b3d2b8138f5d669d7fb7aaff9ded7

      Download Submit
    • C:\crack avast.exe
      Filesize

      46KB

      MD5

      e079e9f1e4546e1d06d9f620e74a22b5

      SHA1

      b7704ae276c4b76f33799b533f4df83f3f81494a

      SHA256

      c0916ec3cd6555759e285e3f24056e7338e3e331a8b04b14d2a10c64ff4c16e5

      SHA512

      07b95f49138fa49e0694bbd4badacbc088013a74e8bbdfcb6e20743b5bd37153791179e892f5f90e8bd457da9f60f21ee32b3d2b8138f5d669d7fb7aaff9ded7

      Download Submit
    • C:\crack avast.exe
      Filesize

      46KB

      MD5

      e079e9f1e4546e1d06d9f620e74a22b5

      SHA1

      b7704ae276c4b76f33799b533f4df83f3f81494a

      SHA256

      c0916ec3cd6555759e285e3f24056e7338e3e331a8b04b14d2a10c64ff4c16e5

      SHA512

      07b95f49138fa49e0694bbd4badacbc088013a74e8bbdfcb6e20743b5bd37153791179e892f5f90e8bd457da9f60f21ee32b3d2b8138f5d669d7fb7aaff9ded7

      Download Submit
    • \Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\HTMLayout.dll
      Filesize

      3.0MB

      MD5

      a9ff57ec69f8c593aa3712b3c8f02002

      SHA1

      00595f6c7ab499a4034fe9008a7fcc080f319b78

      SHA256

      880e429951d21fe28e2a644b40c267cdf590321ee5eeac3b3eb56547746bf65f

      SHA512

      b5a755bd0a80454b61df8b9c362e2814bde8b1e6252a6dabdb33368bc526cd00f055db942953d6b0bff59ba3bbacbd9d0d7dfa4107de5731d402f5479909001f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\HTMLayout.dll
      Filesize

      3.0MB

      MD5

      a9ff57ec69f8c593aa3712b3c8f02002

      SHA1

      00595f6c7ab499a4034fe9008a7fcc080f319b78

      SHA256

      880e429951d21fe28e2a644b40c267cdf590321ee5eeac3b3eb56547746bf65f

      SHA512

      b5a755bd0a80454b61df8b9c362e2814bde8b1e6252a6dabdb33368bc526cd00f055db942953d6b0bff59ba3bbacbd9d0d7dfa4107de5731d402f5479909001f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\HTMLayout.dll
      Filesize

      3.0MB

      MD5

      a9ff57ec69f8c593aa3712b3c8f02002

      SHA1

      00595f6c7ab499a4034fe9008a7fcc080f319b78

      SHA256

      880e429951d21fe28e2a644b40c267cdf590321ee5eeac3b3eb56547746bf65f

      SHA512

      b5a755bd0a80454b61df8b9c362e2814bde8b1e6252a6dabdb33368bc526cd00f055db942953d6b0bff59ba3bbacbd9d0d7dfa4107de5731d402f5479909001f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\HTMLayout.dll
      Filesize

      3.0MB

      MD5

      a9ff57ec69f8c593aa3712b3c8f02002

      SHA1

      00595f6c7ab499a4034fe9008a7fcc080f319b78

      SHA256

      880e429951d21fe28e2a644b40c267cdf590321ee5eeac3b3eb56547746bf65f

      SHA512

      b5a755bd0a80454b61df8b9c362e2814bde8b1e6252a6dabdb33368bc526cd00f055db942953d6b0bff59ba3bbacbd9d0d7dfa4107de5731d402f5479909001f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\Instup.dll
      Filesize

      7.1MB

      MD5

      1a83fadd95e6c9b759db861616604d44

      SHA1

      ad9768d6e89be10943b7692b2a739c05ec145c4f

      SHA256

      9c3c3cb3f2a36e3483aaede6c6286690c38c7c124e98289b2d6a723fe78a32ec

      SHA512

      1817e9ff454e8145457045a21b8b3aeb9cc7242a8f93bf81a5aeeb30f047d3379c7ba48cd2965f86a598382e7879b314dffd242163536f886e8b6a3098496404

      Download Submit
    • \Users\Admin\AppData\Local\Temp\_av_iup.tm~a01656\instup.exe
      Filesize

      193KB

      MD5

      2080dcebe27d92f29aab5fcff77613a2

      SHA1

      c2cfe2952ffed46d37cd16dd5a005bbd940e4811

      SHA256

      ebbbb3e92b01f1f1ff6330affa7d8c281ab5bb9aee1c900f5cf1aaf1e6813e42

      SHA512

      e47395e5637d0e806a19e1038e13d6339f699708a97e47531d94c5cee68008eb243991ef808832cf4f6f95e7be058e08ba4c07b658abf0fc5b3d4ba0f53945f5

      Download Submit
    • memory/820-59-0x0000000000000000-mapping.dmp
      Download
    • memory/856-57-0x0000000075D01000-0x0000000075D03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/884-56-0x0000000000000000-mapping.dmp
      Download
    • memory/940-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1048-67-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1048-72-0x0000000000402000-0x0000000000407600-memory.dmp
      Filesize

      21KB

      Download
    • memory/1048-66-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1048-65-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1048-63-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1048-62-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1048-71-0x0000000000402000-0x0000000000407600-memory.dmp
      Filesize

      21KB

      Download
    • memory/1048-68-0x000000000040748E-mapping.dmp
      Download
    • memory/1220-79-0x0000000000000000-mapping.dmp
      Download
    • memory/1488-73-0x0000000000000000-mapping.dmp
      Download