njrat | deec6b6b69cbec63d25876628c13cedf96e9efccc7a043fe5dfaf2f6c3615f67

Analysis

max time kernel
44s
max time network
34s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-02-2023 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12.exe
Size

2.3MB
MD5

03abd18550cc6a9d86e1b952b857ec6c
SHA1

22e6d070ebf2b35f53a025b734bc5bb504306607
SHA256

deec6b6b69cbec63d25876628c13cedf96e9efccc7a043fe5dfaf2f6c3615f67
SHA512

b98c39e80d200b3809778ae9b5d3113ff44c463fb18d6c4756f687d9e67c93256c2de86304399c6966715d3e29d99b8981da63a0d1f5095fe7cb15aa57b8f7da
SSDEEP

24576:z8oFnrj/BLDrrP9rkccneVkGpEwDN9fQbnOwqi0oTl7Q0aRtsDsfHQ+EgZC/Iio8:woF/BNrJAGaWrNbJMlk0aAWHzLZCq96

Score

10^/10

njrat mybot agilenet persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

MyBot

winter-rd.at.ply.gg:26394

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

paylod.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 3 IoCs

Processes:

paylod.exeCustomEXE.exePayload.exe

pid process

1004 paylod.exe
1764 CustomEXE.exe
1680 Payload.exe
Loads dropped DLL 6 IoCs

Processes:

12.exeCustomEXE.exepaylod.exe

pid process

1932 12.exe
1932 12.exe
1932 12.exe
1764 CustomEXE.exe
1004 paylod.exe
1004 paylod.exe

pid	process
1004	paylod.exe
1764	CustomEXE.exe
1680	Payload.exe

pid	process
1932	12.exe
1932	12.exe
1932	12.exe
1764	CustomEXE.exe
1004	paylod.exe
1004	paylod.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1764-69-0x0000000004F70000-0x0000000005162000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

paylod.exePayload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	1680	Payload.exe
Token: 33	1680	Payload.exe
Token: SeIncBasePriorityPrivilege	1680	Payload.exe
Token: 33	1680	Payload.exe
Token: SeIncBasePriorityPrivilege	1680	Payload.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CustomEXE.exe

pid process

1764 CustomEXE.exe
1764 CustomEXE.exe

pid	process
1764	CustomEXE.exe
1764	CustomEXE.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

12.exepaylod.exe

description	pid	process	target process
PID 1932 wrote to memory of 1004	1932	12.exe	paylod.exe
PID 1932 wrote to memory of 1004	1932	12.exe	paylod.exe
PID 1932 wrote to memory of 1004	1932	12.exe	paylod.exe
PID 1932 wrote to memory of 1004	1932	12.exe	paylod.exe
PID 1932 wrote to memory of 1764	1932	12.exe	CustomEXE.exe
PID 1932 wrote to memory of 1764	1932	12.exe	CustomEXE.exe
PID 1932 wrote to memory of 1764	1932	12.exe	CustomEXE.exe
PID 1932 wrote to memory of 1764	1932	12.exe	CustomEXE.exe
PID 1004 wrote to memory of 1680	1004	paylod.exe	Payload.exe
PID 1004 wrote to memory of 1680	1004	paylod.exe	Payload.exe
PID 1004 wrote to memory of 1680	1004	paylod.exe	Payload.exe
PID 1004 wrote to memory of 1680	1004	paylod.exe	Payload.exe
PID 1004 wrote to memory of 1692	1004	paylod.exe	attrib.exe
PID 1004 wrote to memory of 1692	1004	paylod.exe	attrib.exe
PID 1004 wrote to memory of 1692	1004	paylod.exe	attrib.exe
PID 1004 wrote to memory of 1692	1004	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1692 attrib.exe

pid	process
1692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\12.exe
"C:\Users\Admin\AppData\Local\Temp\12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Views/modifies file attributes
PID:1692

C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe
"C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe
Filesize
1.6MB

MD5
228a69dc15032fd0fb7100ff8561185e

SHA1
f8dbc89fed8078da7f306cb78b92ce04a0bdeb00

SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709

SHA512
373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe
Filesize
1.6MB

MD5
228a69dc15032fd0fb7100ff8561185e

SHA1
f8dbc89fed8078da7f306cb78b92ce04a0bdeb00

SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709

SHA512
373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
570975d9b56607c9ef053a7acdb6e71f

SHA1
e23902be991e788130a868f93c58b4a687d8232e

SHA256
3155bcbd277e2d3d01b35dd7a17ae33bd4d36920072e90cd2dd5d52e90b20fd3

SHA512
662ca5eaaa450c53aefa9db41441c53e1fb9aa8829c6308dd79212cdab590a32f70f983de0b395307b5e7fc4d3b6ad3875bb4dde3d59870e66a4f41a078a9575

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1022B

MD5
e8d64d301906c134b17c4047851915da

SHA1
3c9364e09abf4ec04477807ad8a00b307f58380c

SHA256
b3d019fddd107e30707f6f108af051d49a455abf7c8e8f9e4b49ffa032f0be22

SHA512
7c5daa8923576b6649d45c65b019d1f68dab36d44ace83756106447404927a809dbfd9309ffc4d776c30c2c5de3fe2b8de4677a8e5ad4ba2cf8d3287b4a92cf4

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
\Users\Admin\AppData\Local\Temp\CustomEXE.exe
Filesize
1.6MB

MD5
228a69dc15032fd0fb7100ff8561185e

SHA1
f8dbc89fed8078da7f306cb78b92ce04a0bdeb00

SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709

SHA512
373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

Download Submit
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
966a59574a110ede5ff4e489d278773a

SHA1
427b1088d83cd7528a7e13d81a9688ce6c2b5261

SHA256
940ae678064a838a8d85e539ab8a99e83b64d7337742d3180cb8c730808f9d5c

SHA512
480522397f317f6a1430c79025417297e0a6c095cbc83543dc31ee4ae17e482bbd8d2b12733bd39531668f16e23c38411b289b5c18cf0544a1d3b9fbe81a2b30

Download Submit
memory/1004-64-0x0000000001140000-0x000000000114C000-memory.dmp

Filesize
48KB

Download
memory/1004-57-0x0000000000000000-mapping.dmp

Download
memory/1680-80-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1680-76-0x0000000000000000-mapping.dmp

Download
memory/1692-79-0x0000000000000000-mapping.dmp

Download
memory/1764-73-0x0000000000C67000-0x0000000000C78000-memory.dmp

Filesize
68KB

Download
memory/1764-72-0x0000000074240000-0x0000000074277000-memory.dmp

Filesize
220KB

Download
memory/1764-61-0x0000000000000000-mapping.dmp

Download
memory/1764-71-0x00000000754D0000-0x0000000075550000-memory.dmp

Filesize
512KB

Download
memory/1764-69-0x0000000004F70000-0x0000000005162000-memory.dmp

Filesize
1.9MB

Download
memory/1764-66-0x0000000000ED0000-0x000000000107C000-memory.dmp

Filesize
1.7MB

Download
memory/1764-84-0x0000000074240000-0x0000000074277000-memory.dmp

Filesize
220KB

Download
memory/1932-65-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download