njrat | 4445051491aed9c868c6641f7b2ff844047b5e61414bbc6e440ef2d7202348a5

General

Target

6c16c29393e52ccda35c043aea1b1940.exe
Size

37KB
MD5

6c16c29393e52ccda35c043aea1b1940
SHA1

f440a53a8e1949aa361a311721b88efb7122e56a
SHA256

4445051491aed9c868c6641f7b2ff844047b5e61414bbc6e440ef2d7202348a5
SHA512

90d54c328c8443dcbba6be755578bd8c62fbb633000aafdba9d305e1b42a0e7b7bea8dfff978044c8712855ed72d71325f105ec1999c7a622e8d3bf6f7532f44
SSDEEP

384:1SSvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzXO:sS7TZ38fvCv3E1c1rM+rMRa8Nuvct

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

0.tcp.sa.ngrok.io:19784

Mutex

d129900b08bb5de7ee3568103142da72

Attributes

reg_key
d129900b08bb5de7ee3568103142da72
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

968 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1648 server.exe
Loads dropped DLL 1 IoCs

Processes:

6c16c29393e52ccda35c043aea1b1940.exe

pid process

2024 6c16c29393e52ccda35c043aea1b1940.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
968	netsh.exe

pid	process
1648	server.exe

pid	process
2024	6c16c29393e52ccda35c043aea1b1940.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe
Token: 33	1648	server.exe
Token: SeIncBasePriorityPrivilege	1648	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6c16c29393e52ccda35c043aea1b1940.exeserver.exe

description	pid	process	target process
PID 2024 wrote to memory of 1648	2024	6c16c29393e52ccda35c043aea1b1940.exe	server.exe
PID 2024 wrote to memory of 1648	2024	6c16c29393e52ccda35c043aea1b1940.exe	server.exe
PID 2024 wrote to memory of 1648	2024	6c16c29393e52ccda35c043aea1b1940.exe	server.exe
PID 2024 wrote to memory of 1648	2024	6c16c29393e52ccda35c043aea1b1940.exe	server.exe
PID 1648 wrote to memory of 968	1648	server.exe	netsh.exe
PID 1648 wrote to memory of 968	1648	server.exe	netsh.exe
PID 1648 wrote to memory of 968	1648	server.exe	netsh.exe
PID 1648 wrote to memory of 968	1648	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6c16c29393e52ccda35c043aea1b1940.exe
"C:\Users\Admin\AppData\Local\Temp\6c16c29393e52ccda35c043aea1b1940.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
37KB

MD5
6c16c29393e52ccda35c043aea1b1940

SHA1
f440a53a8e1949aa361a311721b88efb7122e56a

SHA256
4445051491aed9c868c6641f7b2ff844047b5e61414bbc6e440ef2d7202348a5

SHA512
90d54c328c8443dcbba6be755578bd8c62fbb633000aafdba9d305e1b42a0e7b7bea8dfff978044c8712855ed72d71325f105ec1999c7a622e8d3bf6f7532f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
37KB

MD5
6c16c29393e52ccda35c043aea1b1940

SHA1
f440a53a8e1949aa361a311721b88efb7122e56a

SHA256
4445051491aed9c868c6641f7b2ff844047b5e61414bbc6e440ef2d7202348a5

SHA512
90d54c328c8443dcbba6be755578bd8c62fbb633000aafdba9d305e1b42a0e7b7bea8dfff978044c8712855ed72d71325f105ec1999c7a622e8d3bf6f7532f44

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
37KB

MD5
6c16c29393e52ccda35c043aea1b1940

SHA1
f440a53a8e1949aa361a311721b88efb7122e56a

SHA256
4445051491aed9c868c6641f7b2ff844047b5e61414bbc6e440ef2d7202348a5

SHA512
90d54c328c8443dcbba6be755578bd8c62fbb633000aafdba9d305e1b42a0e7b7bea8dfff978044c8712855ed72d71325f105ec1999c7a622e8d3bf6f7532f44

Download Submit
memory/1648-62-0x0000000000720000-0x0000000000760000-memory.dmp

Filesize
256KB

Download
memory/1648-63-0x0000000000720000-0x0000000000760000-memory.dmp

Filesize
256KB

Download
memory/2024-54-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing