njrat | e57f065b20a5bcc1b515ca93b86f221783ddf5880f660f552b5a9735fce540a7

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TGX.exe
Size

19.0MB
MD5

f11e3a4b0b3dfbeeda1093a3d23103a9
SHA1

249ac84328d018b6c1f8bdc158210d73d1dfa895
SHA256

e57f065b20a5bcc1b515ca93b86f221783ddf5880f660f552b5a9735fce540a7
SHA512

baedf5d8da21ec93d007d51f750d6c3edcee28d8a01f1c549e1adb7268da48d6df1d9467f1506dc72fb7d1b01b1142bb8ab174b7122a101de8bc8e86dc423990
SSDEEP

393216:vpoJ0krl5Tb9KaS4d2OfGJxZ8AB1SNjmJ4Uoy7Tk15HZKU:vpohLb9KaIOoD8Aom1V7T7U

Score

10^/10

njrat hacked evasion persistence pyinstaller trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

browser-bangladesh.at.ply.gg:14018

Mutex

675f4fe6228789d2c44bb51781f399e5

Attributes

reg_key
675f4fe6228789d2c44bb51781f399e5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1828 netsh.exe

pid	process
1828	netsh.exe

Drops startup file 2 IoCs

Processes:

serverHost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\675f4fe6228789d2c44bb51781f399e5.exe	serverHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\675f4fe6228789d2c44bb51781f399e5.exe	serverHost.exe

Executes dropped EXE 5 IoCs

Processes:

TGX_Laucher.exeTGX_LLaucher.exeTGX_LLaucher.exeserverHost.exe

pid process

920 TGX_Laucher.exe
616 TGX_LLaucher.exe
828 TGX_LLaucher.exe
1260
1952 serverHost.exe
Loads dropped DLL 7 IoCs

Processes:

TGX.exeTGX_LLaucher.exeTGX_Laucher.exe

pid process

2016 TGX.exe
2016 TGX.exe
2016 TGX.exe
2016 TGX.exe
828 TGX_LLaucher.exe
1260
920 TGX_Laucher.exe

pid	process
920	TGX_Laucher.exe
616	TGX_LLaucher.exe
828	TGX_LLaucher.exe
1260
1952	serverHost.exe

pid	process
2016	TGX.exe
2016	TGX.exe
2016	TGX.exe
2016	TGX.exe
828	TGX_LLaucher.exe
1260
920	TGX_Laucher.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI6162\python311.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI6162\python311.dll	upx
behavioral1/memory/828-182-0x000007FEF5930000-0x000007FEF5F19000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

serverHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\675f4fe6228789d2c44bb51781f399e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\serverHost.exe\" .."	serverHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\675f4fe6228789d2c44bb51781f399e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\serverHost.exe\" .."	serverHost.exe

Detects Pyinstaller 7 IoCs

pyinstaller

Processes:

resource	yara_rule
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe	pyinstaller
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe	pyinstaller
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe	pyinstaller
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe	pyinstaller
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe	pyinstaller
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe	pyinstaller
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

serverHost.exe

pid	process
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe
1952	serverHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

serverHost.exe

pid process

1952 serverHost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

serverHost.exe

description	pid	process
Token: SeDebugPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe
Token: 33	1952	serverHost.exe
Token: SeIncBasePriorityPrivilege	1952	serverHost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

TGX.exeTGX_LLaucher.exeTGX_Laucher.exeserverHost.exe

description	pid	process	target process
PID 2016 wrote to memory of 920	2016	TGX.exe	TGX_Laucher.exe
PID 2016 wrote to memory of 920	2016	TGX.exe	TGX_Laucher.exe
PID 2016 wrote to memory of 920	2016	TGX.exe	TGX_Laucher.exe
PID 2016 wrote to memory of 920	2016	TGX.exe	TGX_Laucher.exe
PID 2016 wrote to memory of 616	2016	TGX.exe	TGX_LLaucher.exe
PID 2016 wrote to memory of 616	2016	TGX.exe	TGX_LLaucher.exe
PID 2016 wrote to memory of 616	2016	TGX.exe	TGX_LLaucher.exe
PID 2016 wrote to memory of 616	2016	TGX.exe	TGX_LLaucher.exe
PID 616 wrote to memory of 828	616	TGX_LLaucher.exe	TGX_LLaucher.exe
PID 616 wrote to memory of 828	616	TGX_LLaucher.exe	TGX_LLaucher.exe
PID 616 wrote to memory of 828	616	TGX_LLaucher.exe	TGX_LLaucher.exe
PID 920 wrote to memory of 1952	920	TGX_Laucher.exe	serverHost.exe
PID 920 wrote to memory of 1952	920	TGX_Laucher.exe	serverHost.exe
PID 920 wrote to memory of 1952	920	TGX_Laucher.exe	serverHost.exe
PID 920 wrote to memory of 1952	920	TGX_Laucher.exe	serverHost.exe
PID 1952 wrote to memory of 1828	1952	serverHost.exe	netsh.exe
PID 1952 wrote to memory of 1828	1952	serverHost.exe	netsh.exe
PID 1952 wrote to memory of 1828	1952	serverHost.exe	netsh.exe
PID 1952 wrote to memory of 1828	1952	serverHost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\TGX.exe
"C:\Users\Admin\AppData\Local\Temp\TGX.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe
"C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Roaming\serverHost.exe
"C:\Users\Admin\AppData\Roaming\serverHost.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\serverHost.exe" "serverHost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1828

C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
"C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616

C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
"C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
Filesize
18.9MB

MD5
aa465d840eb98e6e3553fe6d667b5821

SHA1
9911f9faad6e7d9545f4036d2d244ff22d9264ce

SHA256
f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123

SHA512
fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4

Download Submit
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
Filesize
18.9MB

MD5
aa465d840eb98e6e3553fe6d667b5821

SHA1
9911f9faad6e7d9545f4036d2d244ff22d9264ce

SHA256
f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123

SHA512
fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4

Download Submit
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
Filesize
18.9MB

MD5
aa465d840eb98e6e3553fe6d667b5821

SHA1
9911f9faad6e7d9545f4036d2d244ff22d9264ce

SHA256
f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123

SHA512
fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4

Download Submit
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
Filesize
18.9MB

MD5
aa465d840eb98e6e3553fe6d667b5821

SHA1
9911f9faad6e7d9545f4036d2d244ff22d9264ce

SHA256
f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123

SHA512
fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4

Download Submit
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6162\python311.dll
Filesize
1.6MB

MD5
109e26bea83e7cd897d296c803502722

SHA1
d6c7fce09407b993207f5522fa6db0fd1aad8b22

SHA256
4834d101c620e32e059ba73cf13f53252c48b9326b9342cb1aa9da0a5b329e24

SHA512
b553a151d1fa81e578da83793eed8aa14862a91772cec16caef00b196c33b2f905beb7342c2d876306b068573be1ce543fac653d1177a1605e27a54ee1354cda

Download Submit
C:\Users\Admin\AppData\Roaming\serverHost.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
C:\Users\Admin\AppData\Roaming\serverHost.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
Filesize
18.9MB

MD5
aa465d840eb98e6e3553fe6d667b5821

SHA1
9911f9faad6e7d9545f4036d2d244ff22d9264ce

SHA256
f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123

SHA512
fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4

Download Submit
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
Filesize
18.9MB

MD5
aa465d840eb98e6e3553fe6d667b5821

SHA1
9911f9faad6e7d9545f4036d2d244ff22d9264ce

SHA256
f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123

SHA512
fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4

Download Submit
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe
Filesize
18.9MB

MD5
aa465d840eb98e6e3553fe6d667b5821

SHA1
9911f9faad6e7d9545f4036d2d244ff22d9264ce

SHA256
f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123

SHA512
fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4

Download Submit
\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6162\python311.dll
Filesize
1.6MB

MD5
109e26bea83e7cd897d296c803502722

SHA1
d6c7fce09407b993207f5522fa6db0fd1aad8b22

SHA256
4834d101c620e32e059ba73cf13f53252c48b9326b9342cb1aa9da0a5b329e24

SHA512
b553a151d1fa81e578da83793eed8aa14862a91772cec16caef00b196c33b2f905beb7342c2d876306b068573be1ce543fac653d1177a1605e27a54ee1354cda

Download Submit
\Users\Admin\AppData\Roaming\serverHost.exe
Filesize
37KB

MD5
e7b4f2beaa2c2679eee8692abea22321

SHA1
de3d91c9b5e0bbcb94da37924dbe7aa797de9db5

SHA256
63db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e

SHA512
47580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b

Download Submit
memory/828-182-0x000007FEF5930000-0x000007FEF5F19000-memory.dmp

Filesize
5.9MB

Download
memory/920-181-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/1952-192-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1952-295-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1952-296-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download