njrat | 4e8166227e63a86c10b8f4aa1e5fd02ef5d790270b9c327e0a90aa53d93a8871

Analysis

max time kernel
298s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2023, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Result.exe
Size

27.0MB
MD5

68db8e556211b25f451df5220076465d
SHA1

bbb335a9e84179d90e22c621e5810b0407b43f81
SHA256

4e8166227e63a86c10b8f4aa1e5fd02ef5d790270b9c327e0a90aa53d93a8871
SHA512

584662aff115d8ef900c332c8c7b3b32fa89da596047f4888d68ad50b6049cffbaf63618439e1b3ea57225f5fc726721418a5a78e8ccfb6679629c5f899919de
SSDEEP

786432:y6He9kAkcpBsGfPE1lQDNVJTeAU1xlYqB59g:9HAkch0wNNU1oi9g

Score

10^/10

njrat hacked discovery evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

Ni50Y3AuZXUubmdyb2suaW8Strik:MTYxNzM=

Mutex

e89b8a0d2b1e8bcffe78f90aaa27d773

Attributes

reg_key
e89b8a0d2b1e8bcffe78f90aaa27d773
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1812	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Result.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	SlavaUkraine.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e89b8a0d2b1e8bcffe78f90aaa27d773Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e89b8a0d2b1e8bcffe78f90aaa27d773Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Executes dropped EXE 4 IoCs

pid	Process
2524	SlavaUkraine.exe
1392	python-3.9.0-amd64.exe
220	python-3.9.0-amd64.exe
3856	server.exe

Loads dropped DLL 1 IoCs

pid	Process
220	python-3.9.0-amd64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3856	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe
Token: SeIncBasePriorityPrivilege	3856	server.exe
Token: 33	3856	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 2524	4776	Result.exe	86
PID 4776 wrote to memory of 2524	4776	Result.exe	86
PID 4776 wrote to memory of 2524	4776	Result.exe	86
PID 4776 wrote to memory of 1392	4776	Result.exe	87
PID 4776 wrote to memory of 1392	4776	Result.exe	87
PID 4776 wrote to memory of 1392	4776	Result.exe	87
PID 1392 wrote to memory of 220	1392	python-3.9.0-amd64.exe	88
PID 1392 wrote to memory of 220	1392	python-3.9.0-amd64.exe	88
PID 1392 wrote to memory of 220	1392	python-3.9.0-amd64.exe	88
PID 2524 wrote to memory of 3856	2524	SlavaUkraine.exe	89
PID 2524 wrote to memory of 3856	2524	SlavaUkraine.exe	89
PID 2524 wrote to memory of 3856	2524	SlavaUkraine.exe	89
PID 3856 wrote to memory of 1812	3856	server.exe	90
PID 3856 wrote to memory of 1812	3856	server.exe	90
PID 3856 wrote to memory of 1812	3856	server.exe	90

C:\Users\Admin\AppData\Local\Temp\Result.exe
"C:\Users\Admin\AppData\Local\Temp\Result.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\SlavaUkraine.exe
  "C:\Users\Admin\AppData\Local\Temp\SlavaUkraine.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1812
- C:\Users\Admin\AppData\Local\Temp\python-3.9.0-amd64.exe
  "C:\Users\Admin\AppData\Local\Temp\python-3.9.0-amd64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\Temp\{12989375-D651-4FBF-9E25-7239EE3D56F5}\.cr\python-3.9.0-amd64.exe
    "C:\Windows\Temp\{12989375-D651-4FBF-9E25-7239EE3D56F5}\.cr\python-3.9.0-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.9.0-amd64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=692
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SlavaUkraine.exe

Filesize
93KB

MD5
d7be5544947e0a595732d63be98babba

SHA1
8f8e659323a8b16f7403a871cb98f6715f5ad812

SHA256
b8eadb4262d13438df2854a5630f69054ff2f826a8548d140c9d3d2adcc10dcf

SHA512
7b2868e1541ea60e6e6bd4172a406fa9a0bdf8a514d3310c31c465070ef90ccad2fd41f7434a48b305dcbe634813c06e596079278512bbb4973f5d7aa4348771

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlavaUkraine.exe

Filesize
93KB

MD5
d7be5544947e0a595732d63be98babba

SHA1
8f8e659323a8b16f7403a871cb98f6715f5ad812

SHA256
b8eadb4262d13438df2854a5630f69054ff2f826a8548d140c9d3d2adcc10dcf

SHA512
7b2868e1541ea60e6e6bd4172a406fa9a0bdf8a514d3310c31c465070ef90ccad2fd41f7434a48b305dcbe634813c06e596079278512bbb4973f5d7aa4348771

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlavaUkraine.exe

Filesize
93KB

MD5
d7be5544947e0a595732d63be98babba

SHA1
8f8e659323a8b16f7403a871cb98f6715f5ad812

SHA256
b8eadb4262d13438df2854a5630f69054ff2f826a8548d140c9d3d2adcc10dcf

SHA512
7b2868e1541ea60e6e6bd4172a406fa9a0bdf8a514d3310c31c465070ef90ccad2fd41f7434a48b305dcbe634813c06e596079278512bbb4973f5d7aa4348771

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-3.9.0-amd64.exe

Filesize
26.9MB

MD5
b61a33dc28f13b561452f3089c87eb63

SHA1
5f29e7b435e0a08830b350f7388337d8b761bf72

SHA256
fd2e2c6612d43bb6b213b72fc53f07d73d99059fa72c96e44bde12e7815073ae

SHA512
2314bd18818aedf228c6c3b5c56f10cbb8d5b7ecd46efe3c048ff4e202098bf4515cbb92d2bff64c4a4b451b19f84dc544d649ca3b2336a2b8ec19bc7ecfb2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-3.9.0-amd64.exe

Filesize
26.9MB

MD5
b61a33dc28f13b561452f3089c87eb63

SHA1
5f29e7b435e0a08830b350f7388337d8b761bf72

SHA256
fd2e2c6612d43bb6b213b72fc53f07d73d99059fa72c96e44bde12e7815073ae

SHA512
2314bd18818aedf228c6c3b5c56f10cbb8d5b7ecd46efe3c048ff4e202098bf4515cbb92d2bff64c4a4b451b19f84dc544d649ca3b2336a2b8ec19bc7ecfb2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-3.9.0-amd64.exe

Filesize
26.9MB

MD5
b61a33dc28f13b561452f3089c87eb63

SHA1
5f29e7b435e0a08830b350f7388337d8b761bf72

SHA256
fd2e2c6612d43bb6b213b72fc53f07d73d99059fa72c96e44bde12e7815073ae

SHA512
2314bd18818aedf228c6c3b5c56f10cbb8d5b7ecd46efe3c048ff4e202098bf4515cbb92d2bff64c4a4b451b19f84dc544d649ca3b2336a2b8ec19bc7ecfb2af

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
d7be5544947e0a595732d63be98babba

SHA1
8f8e659323a8b16f7403a871cb98f6715f5ad812

SHA256
b8eadb4262d13438df2854a5630f69054ff2f826a8548d140c9d3d2adcc10dcf

SHA512
7b2868e1541ea60e6e6bd4172a406fa9a0bdf8a514d3310c31c465070ef90ccad2fd41f7434a48b305dcbe634813c06e596079278512bbb4973f5d7aa4348771

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
d7be5544947e0a595732d63be98babba

SHA1
8f8e659323a8b16f7403a871cb98f6715f5ad812

SHA256
b8eadb4262d13438df2854a5630f69054ff2f826a8548d140c9d3d2adcc10dcf

SHA512
7b2868e1541ea60e6e6bd4172a406fa9a0bdf8a514d3310c31c465070ef90ccad2fd41f7434a48b305dcbe634813c06e596079278512bbb4973f5d7aa4348771

Download Submit
C:\Windows\Temp\{12989375-D651-4FBF-9E25-7239EE3D56F5}\.cr\python-3.9.0-amd64.exe

Filesize
840KB

MD5
a24adfcbdaa879a7dd2eaa67787b5831

SHA1
f40afe160ef9576a6086e5c81de1bd606a8a865b

SHA256
3190473cfeecdd473e5033e7de30bf4045b6e84cdb04e6716e11a0631b58aad7

SHA512
67f93630f80e969a954c0fd4c7ac28fff768be9e6de8e2c946ed10498ebb8cf6e9e4535e9dac5311f884842f0f1792edf964941019208148ecd46594cb952083

Download Submit
C:\Windows\Temp\{12989375-D651-4FBF-9E25-7239EE3D56F5}\.cr\python-3.9.0-amd64.exe

Filesize
840KB

MD5
a24adfcbdaa879a7dd2eaa67787b5831

SHA1
f40afe160ef9576a6086e5c81de1bd606a8a865b

SHA256
3190473cfeecdd473e5033e7de30bf4045b6e84cdb04e6716e11a0631b58aad7

SHA512
67f93630f80e969a954c0fd4c7ac28fff768be9e6de8e2c946ed10498ebb8cf6e9e4535e9dac5311f884842f0f1792edf964941019208148ecd46594cb952083

Download Submit
C:\Windows\Temp\{5867350A-BC70-4FEC-B6BA-735AA7B29DA8}\.ba\PythonBA.dll

Filesize
600KB

MD5
51d3de5a5700330f407646cb7d36f8ff

SHA1
6e62dc7e9136d3e4934641dd9bbb74a13bf22a5d

SHA256
9c2b52d98ca2e10dfb6e1dd613757283e2c04054ab4be474b8ceacfbe994f14c

SHA512
af3183cfa33a934d5d2c3b2dd805de0a4123e48f2a53fdbf9494fbac87b60c415e18a9456c372f1bd96845f2a35393cb353d11cbb3466e0dc3d6a772f1f4569c

Download Submit
C:\Windows\Temp\{5867350A-BC70-4FEC-B6BA-735AA7B29DA8}\.ba\SideBar.png

Filesize
56KB

MD5
ca62a92ad5b307faeac640cd5eb460ed

SHA1
5edf8b5fc931648f77a2a131e4c733f1d31b548e

SHA256
f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

SHA512
f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

Download Submit
memory/2524-149-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/3856-221-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/3856-234-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/4776-154-0x0000000000400000-0x0000000001EFC000-memory.dmp

Filesize
27.0MB

Download