njrat | d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c

General

Target

d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe
Size

240KB
MD5

b30fee632f6b18eb2ff5a49a4e5d7883
SHA1

550238b070088e906fa9ee2aa3477a1321498173
SHA256

d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c
SHA512

28aae9d2412729144d757a489807cb8761abe5f0a93dd43ac3c41d6e03e8c5d67208feebcd421663fc794a26612e2554ed0f53ed583c45b1501e4e0748e8c826
SSDEEP

6144:de95/jDSDls2IN4vuSACO9yux887vyYlPEAOlfJO2EgFTuUB5aW:deyvKz92xhETUx

Score

10^/10

njrat hacked agilenet evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

279f6960ed84a752570aca7fb2dc1552

Attributes

reg_key
279f6960ed84a752570aca7fb2dc1552
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Server.exe

pid process

4552 Server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3164 netsh.exe

pid	process
4552	Server.exe

pid	process
3164	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2132-132-0x00000000003B0000-0x00000000003BC000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000179"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3927030912"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d4c4ef7306d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000099032978ccb97b6cc46bbfe8df9b5978dc5a9432a50ddee8e241b6df7eaf36e7000000000e8000000002000020000000d5088093ff3423e831f8dcbc95c302b6d7ca7c937d964ea82804ec462e372fa1200000007510b383e8131ec64965f2ae8ecff44b94447a9d7063612230cd0f7c6323cab740000000d9ad58e44627556b6111bb79141ed918cd60a31665f7352c8c3853282a5ff9b48acadc1580bcc3402cf71a6151152e4e00a0e241e8928f999b42916726057638	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376164145"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000049e4c902a95965a6fa225118de3f6d316b3f5ce731554d27e223176fe03657f8000000000e8000000002000020000000fc6e04168f5e5a74f504aad771b2df090737ca68740cadb726de27cdbc25867c20000000e0d14226a8cde7b33f2dfde1d8ac1bc606ea4b67f5b79beed1bd2c80cdfbf91340000000c1214810757b93a3fb41ce2870b6c4bbeebd0283c8d85a7ade43c210ac3b2db830acdc1b474940705b374170bad81e1283b92e6f6908b7254e61e471c9dd171d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000179"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c050eaf57306d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3927030912"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{122A1C8D-7267-11ED-BF5F-4EF50EB22100} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 1 IoCs

Processes:

d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4048 iexplore.exe

pid	process
4048	iexplore.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exeServer.exe

description	pid	process
Token: SeDebugPrivilege	2132	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe
Token: SeDebugPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe
Token: 33	4552	Server.exe
Token: SeIncBasePriorityPrivilege	4552	Server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4048 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4048 iexplore.exe
4048 iexplore.exe
2100 IEXPLORE.EXE
2100 IEXPLORE.EXE
2100 IEXPLORE.EXE
2100 IEXPLORE.EXE

pid	process
4048	iexplore.exe

pid	process
4048	iexplore.exe
4048	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exeiexplore.exeServer.exe

description	pid	process	target process
PID 2132 wrote to memory of 4552	2132	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe	Server.exe
PID 2132 wrote to memory of 4552	2132	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe	Server.exe
PID 2132 wrote to memory of 4552	2132	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe	Server.exe
PID 2132 wrote to memory of 4048	2132	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe	iexplore.exe
PID 2132 wrote to memory of 4048	2132	d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe	iexplore.exe
PID 4048 wrote to memory of 2100	4048	iexplore.exe	IEXPLORE.EXE
PID 4048 wrote to memory of 2100	4048	iexplore.exe	IEXPLORE.EXE
PID 4048 wrote to memory of 2100	4048	iexplore.exe	IEXPLORE.EXE
PID 4552 wrote to memory of 3164	4552	Server.exe	netsh.exe
PID 4552 wrote to memory of 3164	4552	Server.exe	netsh.exe
PID 4552 wrote to memory of 3164	4552	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe
"C:\Users\Admin\AppData\Local\Temp\d02e88a87f99105730981411b3dc00838ba8f93f7fee5d2294820e44d38ff28c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\صورة.gif
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4048 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b4ecb77429fd8fb0c2ad0b2e82b99a2a

SHA1
64c90eb7b4c8cf8585fee8950cf842a77546f561

SHA256
0be44ad34deda92d7ce2c7e0093c398606deec502327a9639cc7e574509677c0

SHA512
8333d34d6f9a3cce4fc6c265c5b2ed08839a4f3533b0fdb7fb46e735d64fc61278e226f1c5e67371b98f4b6fa48d33948dc3a04cd4bdee35d18fa4267bd455ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b4ecb77429fd8fb0c2ad0b2e82b99a2a

SHA1
64c90eb7b4c8cf8585fee8950cf842a77546f561

SHA256
0be44ad34deda92d7ce2c7e0093c398606deec502327a9639cc7e574509677c0

SHA512
8333d34d6f9a3cce4fc6c265c5b2ed08839a4f3533b0fdb7fb46e735d64fc61278e226f1c5e67371b98f4b6fa48d33948dc3a04cd4bdee35d18fa4267bd455ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\صورة.gif
Filesize
59KB

MD5
741c4e52b72bf081956f2bad797af2b3

SHA1
f21726792e66c1b171e03b06fd3f6dcd2195bc28

SHA256
ba15f81908ea9cced0d302abbd863f2762dc000d192adcc2532a634c37a0570c

SHA512
48525d79274e84bdde118de182775624fcf6ea34b89dd612dfd990d5b4a5048d89f28daab8913afe42027423ed0616272f7ce5475c485318a3bfe05667a2a095

Download Submit
memory/2132-132-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2132-133-0x00007FF80F140000-0x00007FF80FC01000-memory.dmp

Filesize
10.8MB

Download
memory/2132-136-0x00007FF80F140000-0x00007FF80FC01000-memory.dmp

Filesize
10.8MB

Download
memory/3164-141-0x0000000000000000-mapping.dmp

Download
memory/4552-134-0x0000000000000000-mapping.dmp

Download
memory/4552-138-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4552-140-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads