njrat | f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3

General

Target

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
Size

852KB
MD5

9316bd73a66f56b9f4f64e34d0467e8d
SHA1

aeadf91b918546388e1a0995a29d09cf1ae766a7
SHA256

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3
SHA512

1eb2535f2c6bf4b71fcd0efa345b9b04b5d77f391762967243282cb4908de4b67a05d8101e07bbc26fe66997169aec3beb0e3133a94e9b65a2e95f8077c4fb7b
SSDEEP

12288:zK2mhAMJ/cPl+tIQYVc5LWAg6rY9geN8h7UZYE82Y5UKUL4n4y3Xp3SbSl8g:22O/Gl+TnJW1h67g6zwm4m53Sb28g

Score

10^/10

njrat billy evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BILLY

C2

yorkiepet.ddns.net:770

Mutex

76a35d262af152d236ee0f24e2916b15

Attributes

reg_key
76a35d262af152d236ee0f24e2916b15
splitter
|'|'|

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

msvoht.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msvoht.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

msvoht.exesvchost.exe

pid process

4896 msvoht.exe
3416 svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msvoht.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs"	msvoht.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	msvoht.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

msvoht.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msvoht.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

msvoht.exe

description pid process target process

PID 4896 set thread context of 2180 4896 msvoht.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msvoht.exe

description	pid	process	target process
PID 4896 set thread context of 2180	4896	msvoht.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msvoht.exe

pid	process
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe
4896	msvoht.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

msvoht.exe

description	pid	process
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe
Token: SeDebugPrivilege	4896	msvoht.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exemsvoht.exeRegSvcs.exe

description	pid	process	target process
PID 4728 wrote to memory of 4896	4728	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 4728 wrote to memory of 4896	4728	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 4728 wrote to memory of 4896	4728	f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe	msvoht.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 4896 wrote to memory of 2180	4896	msvoht.exe	RegSvcs.exe
PID 2180 wrote to memory of 3416	2180	RegSvcs.exe	svchost.exe
PID 2180 wrote to memory of 3416	2180	RegSvcs.exe	svchost.exe
PID 2180 wrote to memory of 3416	2180	RegSvcs.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe
"C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
PID:3416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"
3⤵
PID:1660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"
3⤵
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\8G8MD9~1\jshvp.UNT
Filesize
230B

MD5
35b3cf90cee61304ff309c20704eb422

SHA1
72b771a97d39fdab15a70bc24fa31e25eeb0ab56

SHA256
e0eb8480787194877b9d8c0dea59400af9c41a3d99c9909ede2076f5596b1808

SHA512
f73df96afc8a40e8dbb2759c4c012596486e37159f0cb6b866d49d179422e4446a5dd62ce30596cccb0a50b3c558d8f17c081907d42c7c55577a9478e5a94d05

Download Submit
C:\Users\Admin\8G8MD9~1\yyiuyaz.UKC
Filesize
23KB

MD5
cbbf6902528ee0709dad67d3838ac5bd

SHA1
6f5f3739da42afdd55265d44e6f224fea75db0ce

SHA256
13f22712b2458f01efc9351368e980bc073a072d825eedcb2f2aa43f9be4cc11

SHA512
da8faace526c59a1706a3ad6d402752f2909fe110fe52cfc58f75d19743e3c4def5303a520b582e6b7985768a69f93e8171dc5f90df473d4ee0aebe207414e7c

Download Submit
C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\8g8md9q55t9k8\nzlmuc
Filesize
132.4MB

MD5
07c9503bebabfe1b926c094e2cd0d6c5

SHA1
ae9b9a62584bd1488bcf8268cbb5124ca7d44795

SHA256
8fd639bf83ef6f5e5c083096e765241cbb268edcb252bf9eae7e0012f951ebd9

SHA512
3b42490c969e5ff37b95bf272bb0acfb40279e62560046b9b46a43c830a9eed1314e485f0ce219fd9411eba6936769128db83c318581f370be49ed90b8dfa911

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
3a77a4f220612fa55118fb8d7ddae83c

SHA1
b96fa726fc84fd46d03dd3c32689f645e0422278

SHA256
2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f

SHA512
33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
32KB

MD5
3a77a4f220612fa55118fb8d7ddae83c

SHA1
b96fa726fc84fd46d03dd3c32689f645e0422278

SHA256
2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f

SHA512
33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

Download Submit
memory/1660-146-0x0000000000000000-mapping.dmp

Download
memory/2180-138-0x0000000000000000-mapping.dmp

Download
memory/2180-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2180-140-0x0000000074290000-0x0000000074841000-memory.dmp

Filesize
5.7MB

Download
memory/2180-143-0x0000000074290000-0x0000000074841000-memory.dmp

Filesize
5.7MB

Download
memory/3416-141-0x0000000000000000-mapping.dmp

Download
memory/3416-145-0x0000000074290000-0x0000000074841000-memory.dmp

Filesize
5.7MB

Download
memory/4896-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads