njrat | b789d984abae7c36f9b71ae421e8c05602728d7a0ec0b3742632eb819fb661f8

Resubmissions

20-02-2023 15:51

230220-tavqrsbe76 10

Analysis

max time kernel
45s
max time network
45s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-02-2023 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabber.exe
Size

2.3MB
MD5

e26786b1e73c9012aa5a395f5b539157
SHA1

6e1ebc73f642c21068f790b8574cced1f51becde
SHA256

b789d984abae7c36f9b71ae421e8c05602728d7a0ec0b3742632eb819fb661f8
SHA512

3e01078509597336b655adbf1428a4c90d7db8eff5e89c7de2a670995ea738550f4571ad9ff72edcd7c0fb08db77dce322ce02292269858119cf97f30f660d99
SSDEEP

24576:UoFnrj/BLDrrP9rkccneVkGpEwDN9fQbnOwqi0oTl7Q0aRtsDsfHQ+EgZC/IioEt:UoF/BNrJAGaWrNbJMlk0aAWHzLZCq96

Score

10^/10

njrat mybot agilenet evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

MyBot

winter-rd.at.ply.gg:26394

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1180 netsh.exe

pid	process
1180	netsh.exe

Drops startup file 2 IoCs

Processes:

paylod.exeBlitzedGrabber.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	BlitzedGrabber.exe

Executes dropped EXE 3 IoCs

Processes:

paylod.exeCustomEXE.exeBlitzedGrabber.exe

pid process

1496 paylod.exe
752 CustomEXE.exe
1900 BlitzedGrabber.exe
Loads dropped DLL 6 IoCs

Processes:

BlitzedGrabber.exeCustomEXE.exepaylod.exe

pid process

1536 BlitzedGrabber.exe
1536 BlitzedGrabber.exe
1536 BlitzedGrabber.exe
752 CustomEXE.exe
1496 paylod.exe
1496 paylod.exe

pid	process
1496	paylod.exe
752	CustomEXE.exe
1900	BlitzedGrabber.exe

pid	process
1536	BlitzedGrabber.exe
1536	BlitzedGrabber.exe
1536	BlitzedGrabber.exe
752	CustomEXE.exe
1496	paylod.exe
1496	paylod.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/752-69-0x0000000004F60000-0x0000000005152000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

paylod.exeBlitzedGrabber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\BlitzedGrabber.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	BlitzedGrabber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	BlitzedGrabber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	BlitzedGrabber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	BlitzedGrabber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

588 PING.EXE

pid	process
588	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

BlitzedGrabber.exe

description	pid	process
Token: SeDebugPrivilege	1900	BlitzedGrabber.exe
Token: 33	1900	BlitzedGrabber.exe
Token: SeIncBasePriorityPrivilege	1900	BlitzedGrabber.exe
Token: 33	1900	BlitzedGrabber.exe
Token: SeIncBasePriorityPrivilege	1900	BlitzedGrabber.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CustomEXE.exe

pid process

752 CustomEXE.exe
752 CustomEXE.exe

pid	process
752	CustomEXE.exe
752	CustomEXE.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

BlitzedGrabber.exepaylod.exeBlitzedGrabber.execmd.exe

description	pid	process	target process
PID 1536 wrote to memory of 1496	1536	BlitzedGrabber.exe	paylod.exe
PID 1536 wrote to memory of 1496	1536	BlitzedGrabber.exe	paylod.exe
PID 1536 wrote to memory of 1496	1536	BlitzedGrabber.exe	paylod.exe
PID 1536 wrote to memory of 1496	1536	BlitzedGrabber.exe	paylod.exe
PID 1536 wrote to memory of 752	1536	BlitzedGrabber.exe	CustomEXE.exe
PID 1536 wrote to memory of 752	1536	BlitzedGrabber.exe	CustomEXE.exe
PID 1536 wrote to memory of 752	1536	BlitzedGrabber.exe	CustomEXE.exe
PID 1536 wrote to memory of 752	1536	BlitzedGrabber.exe	CustomEXE.exe
PID 1496 wrote to memory of 1900	1496	paylod.exe	BlitzedGrabber.exe
PID 1496 wrote to memory of 1900	1496	paylod.exe	BlitzedGrabber.exe
PID 1496 wrote to memory of 1900	1496	paylod.exe	BlitzedGrabber.exe
PID 1496 wrote to memory of 1900	1496	paylod.exe	BlitzedGrabber.exe
PID 1496 wrote to memory of 1616	1496	paylod.exe	attrib.exe
PID 1496 wrote to memory of 1616	1496	paylod.exe	attrib.exe
PID 1496 wrote to memory of 1616	1496	paylod.exe	attrib.exe
PID 1496 wrote to memory of 1616	1496	paylod.exe	attrib.exe
PID 1900 wrote to memory of 1180	1900	BlitzedGrabber.exe	netsh.exe
PID 1900 wrote to memory of 1180	1900	BlitzedGrabber.exe	netsh.exe
PID 1900 wrote to memory of 1180	1900	BlitzedGrabber.exe	netsh.exe
PID 1900 wrote to memory of 1180	1900	BlitzedGrabber.exe	netsh.exe
PID 1900 wrote to memory of 1120	1900	BlitzedGrabber.exe	cmd.exe
PID 1900 wrote to memory of 1120	1900	BlitzedGrabber.exe	cmd.exe
PID 1900 wrote to memory of 1120	1900	BlitzedGrabber.exe	cmd.exe
PID 1900 wrote to memory of 1120	1900	BlitzedGrabber.exe	cmd.exe
PID 1120 wrote to memory of 588	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 588	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 588	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 588	1120	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1616 attrib.exe

pid	process
1616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabber.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabber.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe
"C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"
4⤵
- Modifies Windows Firewall
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\PING.EXE
ping 0 -n 2
5⤵
- Runs ping.exe
PID:588

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"
3⤵
- Views/modifies file attributes
PID:1616

C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe
"C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe
Filesize
1.6MB

MD5
228a69dc15032fd0fb7100ff8561185e

SHA1
f8dbc89fed8078da7f306cb78b92ce04a0bdeb00

SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709

SHA512
373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe
Filesize
1.6MB

MD5
228a69dc15032fd0fb7100ff8561185e

SHA1
f8dbc89fed8078da7f306cb78b92ce04a0bdeb00

SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709

SHA512
373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
c6e2ca12703923f0cb5c5715396f7818

SHA1
12fc03a3eb443498be241782dfd378fbb954aac2

SHA256
bee59644277e439d3d83baf400873eae6f29e06a5643b8f3b50618ae7b8c5f17

SHA512
11de53c3fbfb54c4af3e92a5b5b679930fb148e502fa1aebccfce25c9a47c2015cce274fbaa214b6e694195265326079cbb87a22a3e5dbbe19ca68c24036eaaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1018B

MD5
93cb514e5aee4c07439ca292550ecc2a

SHA1
eb97821bfc02e4d6124034d9f16f748c806c9c14

SHA256
ca3cd374a4c636a9050735de89c11f6eeeb10c0c5a676c22795789281967f667

SHA512
d8bfe7f321f9a62449d161848f493611fe08fc84e27260e4eb4ed14a15dca9ad7aff5be26222973eec9573ab1359306890daa146725e935d7c2d40599cd2d963

Download Submit
\Users\Admin\AppData\Local\Temp\CustomEXE.exe
Filesize
1.6MB

MD5
228a69dc15032fd0fb7100ff8561185e

SHA1
f8dbc89fed8078da7f306cb78b92ce04a0bdeb00

SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709

SHA512
373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

Download Submit
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
\Users\Admin\AppData\Roaming\BlitzedGrabber.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
\Users\Admin\AppData\Roaming\BlitzedGrabber.exe
Filesize
26KB

MD5
087825a9bbd97611aea7189792428793

SHA1
0e8a47b7de1c4767359ed493862477355e3a41b0

SHA256
0cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61

SHA512
0e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f

Download Submit
memory/588-87-0x0000000000000000-mapping.dmp

Download
memory/752-61-0x0000000000000000-mapping.dmp

Download
memory/752-84-0x0000000072740000-0x0000000072777000-memory.dmp

Filesize
220KB

Download
memory/752-73-0x00000000049C7000-0x00000000049D8000-memory.dmp

Filesize
68KB

Download
memory/752-71-0x0000000075390000-0x0000000075410000-memory.dmp

Filesize
512KB

Download
memory/752-69-0x0000000004F60000-0x0000000005152000-memory.dmp

Filesize
1.9MB

Download
memory/752-66-0x0000000000B20000-0x0000000000CCC000-memory.dmp

Filesize
1.7MB

Download
memory/752-72-0x0000000072740000-0x0000000072777000-memory.dmp

Filesize
220KB

Download
memory/1120-86-0x0000000000000000-mapping.dmp

Download
memory/1180-85-0x0000000000000000-mapping.dmp

Download
memory/1496-64-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1536-65-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/1536-54-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1616-81-0x0000000000000000-mapping.dmp

Download
memory/1900-79-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1900-76-0x0000000000000000-mapping.dmp

Download