njrat | cab3b22f726935519d4631ff6a6868b27c84777a6b6b7f13c2ca3e75219e5131

General

Target

2953df90d219ace17c42cc15275899dc.exe
Size

1.1MB
MD5

2953df90d219ace17c42cc15275899dc
SHA1

bc42764a515d8b7dfb3a9f98c7f29fbd2b718daf
SHA256

cab3b22f726935519d4631ff6a6868b27c84777a6b6b7f13c2ca3e75219e5131
SHA512

dd2912f13460aaae250a23c3fb49e4631f81284dbc0126c0f4384b233b58110b342434cf0b439e7ed9e781f64407c7e0fc5fc5ee8cb6e41b57122e6d78c9c0fe
SSDEEP

24576:7ApjAeCv5BlblbBfn52l9CfGRHz/X+1WgeSzi+EK/d:7ApjADBK9CgLCWgeSOK1

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1292	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	2953df90d219ace17c42cc15275899dc.exe

Executes dropped EXE 1 IoCs

pid	Process
4640	nursultan.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
2672	2953df90d219ace17c42cc15275899dc.exe
2672	2953df90d219ace17c42cc15275899dc.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe
4640	nursultan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe
Token: 33	4640	nursultan.exe
Token: SeIncBasePriorityPrivilege	4640	nursultan.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	2953df90d219ace17c42cc15275899dc.exe
4640	nursultan.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4640	2672	2953df90d219ace17c42cc15275899dc.exe	90
PID 2672 wrote to memory of 4640	2672	2953df90d219ace17c42cc15275899dc.exe	90
PID 2672 wrote to memory of 4640	2672	2953df90d219ace17c42cc15275899dc.exe	90
PID 4640 wrote to memory of 1292	4640	nursultan.exe	93
PID 4640 wrote to memory of 1292	4640	nursultan.exe	93
PID 4640 wrote to memory of 1292	4640	nursultan.exe	93

C:\Users\Admin\AppData\Local\Temp\2953df90d219ace17c42cc15275899dc.exe
"C:\Users\Admin\AppData\Local\Temp\2953df90d219ace17c42cc15275899dc.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Roaming\nursultan.exe
  "C:\Users\Admin\AppData\Roaming\nursultan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\nursultan.exe" "nursultan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nursultan.exe

Filesize
1.1MB

MD5
2953df90d219ace17c42cc15275899dc

SHA1
bc42764a515d8b7dfb3a9f98c7f29fbd2b718daf

SHA256
cab3b22f726935519d4631ff6a6868b27c84777a6b6b7f13c2ca3e75219e5131

SHA512
dd2912f13460aaae250a23c3fb49e4631f81284dbc0126c0f4384b233b58110b342434cf0b439e7ed9e781f64407c7e0fc5fc5ee8cb6e41b57122e6d78c9c0fe

Download Submit
C:\Users\Admin\AppData\Roaming\nursultan.exe

Filesize
1.1MB

MD5
2953df90d219ace17c42cc15275899dc

SHA1
bc42764a515d8b7dfb3a9f98c7f29fbd2b718daf

SHA256
cab3b22f726935519d4631ff6a6868b27c84777a6b6b7f13c2ca3e75219e5131

SHA512
dd2912f13460aaae250a23c3fb49e4631f81284dbc0126c0f4384b233b58110b342434cf0b439e7ed9e781f64407c7e0fc5fc5ee8cb6e41b57122e6d78c9c0fe

Download Submit
C:\Users\Admin\AppData\Roaming\nursultan.exe

Filesize
1.1MB

MD5
2953df90d219ace17c42cc15275899dc

SHA1
bc42764a515d8b7dfb3a9f98c7f29fbd2b718daf

SHA256
cab3b22f726935519d4631ff6a6868b27c84777a6b6b7f13c2ca3e75219e5131

SHA512
dd2912f13460aaae250a23c3fb49e4631f81284dbc0126c0f4384b233b58110b342434cf0b439e7ed9e781f64407c7e0fc5fc5ee8cb6e41b57122e6d78c9c0fe

Download Submit
memory/2672-133-0x00000000004A0000-0x0000000000810000-memory.dmp

Filesize
3.4MB

Download
memory/2672-134-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/2672-145-0x00000000004A0000-0x0000000000810000-memory.dmp

Filesize
3.4MB

Download
memory/4640-146-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/4640-147-0x00000000001F0000-0x0000000000560000-memory.dmp

Filesize
3.4MB

Download
memory/4640-149-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/4640-150-0x00000000001F0000-0x0000000000560000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing