njrat | b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07

Analysis

max time kernel
138s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-03-2023 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7a183e777365134ecc6b30d2ef6111.exe
Size

37KB
MD5

0a7a183e777365134ecc6b30d2ef6111
SHA1

5e43a2d49c2aeb6c438d9e7999215693ef90254e
SHA256

b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07
SHA512

5e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215
SSDEEP

384:VSSvEiTbTvpWNcZ0y8fvCv3v3cLkacpjrAF+rMRTyN/0L+EcoinblneHQM3epzX0:MS7TZ38fvCv3E1c1rM+rMRa8NuE3t

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

0.tcp.eu.ngrok.io:14888

Mutex

4bf7c75d2b9974791b37b4aa6f0605e4

Attributes

reg_key
4bf7c75d2b9974791b37b4aa6f0605e4
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1112 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1028 server.exe
Loads dropped DLL 1 IoCs

Processes:

0a7a183e777365134ecc6b30d2ef6111.exe

pid process

1716 0a7a183e777365134ecc6b30d2ef6111.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1112	netsh.exe

pid	process
1028	server.exe

pid	process
1716	0a7a183e777365134ecc6b30d2ef6111.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe
Token: 33	1028	server.exe
Token: SeIncBasePriorityPrivilege	1028	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0a7a183e777365134ecc6b30d2ef6111.exeserver.exe

description	pid	process	target process
PID 1716 wrote to memory of 1028	1716	0a7a183e777365134ecc6b30d2ef6111.exe	server.exe
PID 1716 wrote to memory of 1028	1716	0a7a183e777365134ecc6b30d2ef6111.exe	server.exe
PID 1716 wrote to memory of 1028	1716	0a7a183e777365134ecc6b30d2ef6111.exe	server.exe
PID 1716 wrote to memory of 1028	1716	0a7a183e777365134ecc6b30d2ef6111.exe	server.exe
PID 1028 wrote to memory of 1112	1028	server.exe	netsh.exe
PID 1028 wrote to memory of 1112	1028	server.exe	netsh.exe
PID 1028 wrote to memory of 1112	1028	server.exe	netsh.exe
PID 1028 wrote to memory of 1112	1028	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0a7a183e777365134ecc6b30d2ef6111.exe
"C:\Users\Admin\AppData\Local\Temp\0a7a183e777365134ecc6b30d2ef6111.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
37KB

MD5
0a7a183e777365134ecc6b30d2ef6111

SHA1
5e43a2d49c2aeb6c438d9e7999215693ef90254e

SHA256
b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07

SHA512
5e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
37KB

MD5
0a7a183e777365134ecc6b30d2ef6111

SHA1
5e43a2d49c2aeb6c438d9e7999215693ef90254e

SHA256
b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07

SHA512
5e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
37KB

MD5
0a7a183e777365134ecc6b30d2ef6111

SHA1
5e43a2d49c2aeb6c438d9e7999215693ef90254e

SHA256
b9dac8380436e34e0698ff15fa73b6026a87294905bc5f9af9cab7298f208e07

SHA512
5e12c77ab23e809501cfe44a6f6eb4b80f57965b88d897029e1d2a70850a3e3ff70c3bbe828969b31bccdd78759ae1d1745dad90efcbe7cac0f7914c2f01b215

Download Submit
memory/1028-62-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/1716-54-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download