njrat | 4d24df74069820c16abba591228a42d81c20d3e56afa306b42d559073494a9ed

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-03-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Redline Stealer 2022 Cracked/Kurome.Builder/builder.exe
Size

176KB
MD5

2bf414e4eead5821479afd1c48ca10fd
SHA1

ee27dbb4497e00c234820b0401009680b9739c39
SHA256

b4f45f5887e216c7cf4e3635ce16f770de2bcb82c66671bb0c19f0289b090494
SHA512

1837be8412fde13bffb050d6aefa8c78605dbd91660425b3d3b31629104dc9efdbce869fd0db6ac5b0b12d397c8cff5a197a97aff8ad27cbbbbdfc816f0c3f52
SSDEEP

3072:Y0taY/+zi0ZbYe1g0ujyzdLgJ2Be0XQx3:YAaYmG0Lahyd9

Score

10^/10

njrat redline sectoprat cheat hacked evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

172.93.231.202:5552

Mutex

b686448cd18e4753a57a179d9c102a12

Attributes

reg_key
b686448cd18e4753a57a179d9c102a12
splitter
|'|'|

Extracted

Family

redline

Botnet

cheat

127.0.0.1:1337

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\build.exe	family_redline
C:\Users\Admin\AppData\Roaming\build.exe	family_redline
behavioral12/memory/4304-128-0x00000000008B0000-0x00000000008CE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\build.exe	family_sectoprat
C:\Users\Admin\AppData\Roaming\build.exe	family_sectoprat
behavioral12/memory/4304-128-0x00000000008B0000-0x00000000008CE000-memory.dmp	family_sectoprat

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4504 netsh.exe

pid	process
4504	netsh.exe

Drops startup file 2 IoCs

Processes:

Server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b686448cd18e4753a57a179d9c102a12.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b686448cd18e4753a57a179d9c102a12.exe	Server.exe

Executes dropped EXE 2 IoCs

Processes:

Server.exebuild.exe

pid process

4264 Server.exe
4304 build.exe

pid	process
4264	Server.exe
4304	build.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\b686448cd18e4753a57a179d9c102a12 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b686448cd18e4753a57a179d9c102a12 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .."	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

build.exeServer.exe

description	pid	process
Token: SeDebugPrivilege	4304	build.exe
Token: SeDebugPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe
Token: 33	4264	Server.exe
Token: SeIncBasePriorityPrivilege	4264	Server.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

builder.exeServer.exe

description	pid	process	target process
PID 2568 wrote to memory of 4264	2568	builder.exe	Server.exe
PID 2568 wrote to memory of 4264	2568	builder.exe	Server.exe
PID 2568 wrote to memory of 4264	2568	builder.exe	Server.exe
PID 2568 wrote to memory of 4304	2568	builder.exe	build.exe
PID 2568 wrote to memory of 4304	2568	builder.exe	build.exe
PID 2568 wrote to memory of 4304	2568	builder.exe	build.exe
PID 4264 wrote to memory of 4504	4264	Server.exe	netsh.exe
PID 4264 wrote to memory of 4504	4264	Server.exe	netsh.exe
PID 4264 wrote to memory of 4504	4264	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2022 Cracked\Kurome.Builder\builder.exe
"C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2022 Cracked\Kurome.Builder\builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4504

C:\Users\Admin\AppData\Roaming\build.exe
"C:\Users\Admin\AppData\Roaming\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
23KB

MD5
25b54f7f39b021b1d5e3a15b04a3490f

SHA1
ab66577f15e700d5e4ab423402bd21f23a67988d

SHA256
c2768f2e91df4955e2582273ffb759e82c5a5aae4e1318b8643e011d0dd0b944

SHA512
cf3a318fa4f56408a38a23e82dc12bbdbeb738ab724c0c4b975d438027990945d399c8daeb56f84afaa79c8c182e0c767d86580d4be55552b9e72bf932a85c01

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
23KB

MD5
25b54f7f39b021b1d5e3a15b04a3490f

SHA1
ab66577f15e700d5e4ab423402bd21f23a67988d

SHA256
c2768f2e91df4955e2582273ffb759e82c5a5aae4e1318b8643e011d0dd0b944

SHA512
cf3a318fa4f56408a38a23e82dc12bbdbeb738ab724c0c4b975d438027990945d399c8daeb56f84afaa79c8c182e0c767d86580d4be55552b9e72bf932a85c01

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe
Filesize
95KB

MD5
ca8b99c9d67aee4b846581461ec6bb2b

SHA1
7c0fd208b99bc69aaf003693aeafbe73cde4658f

SHA256
d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a

SHA512
027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe
Filesize
95KB

MD5
ca8b99c9d67aee4b846581461ec6bb2b

SHA1
7c0fd208b99bc69aaf003693aeafbe73cde4658f

SHA256
d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a

SHA512
027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

Download Submit
memory/2568-117-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/4264-129-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/4264-137-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/4304-128-0x00000000008B0000-0x00000000008CE000-memory.dmp

Filesize
120KB

Download
memory/4304-130-0x0000000005870000-0x0000000005E76000-memory.dmp

Filesize
6.0MB

Download
memory/4304-131-0x0000000002D70000-0x0000000002D82000-memory.dmp

Filesize
72KB

Download
memory/4304-132-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/4304-133-0x0000000005190000-0x00000000051DB000-memory.dmp

Filesize
300KB

Download
memory/4304-134-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4304-135-0x00000000053D0000-0x00000000054DA000-memory.dmp

Filesize
1.0MB

Download
memory/4304-138-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download