njrat | 14a08cc28c5d133cec49f1e23ed4a0685c7a8dcbda6a6cde57fa2197fe428040

General

Target

Remcos Professional Cracked By Alcatraz3222-cleaned.exe
Size

17.9MB
MD5

946125ea1dcd4d87c44b603f608dd64c
SHA1

48635fd472da387b60a43d4b65813516f99c8c55
SHA256

56b813058735d5f0980dae75394cba6e78d2096f142aaf7811251dbac7657bb1
SHA512

b3f42641a68cd4e7c365a031f6c1997e3c4efcf0fbf6b616341062b23f58e90d6a08d93ac249de1b53151a8dfb728da5cbdfd8d18e96892410038385fb96c7e5
SSDEEP

393216:tHN4EgV1uaHYxhfJJZu9rOtEK0Vc+shB97mip52wrqi3nHoKzMWUOCF:tCEm54vJJZWWMgp5HuuzMWU

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4796 netsh.exe

pid	process
4796	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Remcos Professional Cracked By Alcatraz3222-cleaned.exe

Executes dropped EXE 2 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exetaskhost.exe

pid process

1420 Remcos Professional Cracked By Alcatraz3222.exe
1576 taskhost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exe

pid process

1420 Remcos Professional Cracked By Alcatraz3222.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exe

description pid process target process

PID 3816 set thread context of 1576 3816 Remcos Professional Cracked By Alcatraz3222-cleaned.exe taskhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1420	Remcos Professional Cracked By Alcatraz3222.exe
1576	taskhost.exe

pid	process
1420	Remcos Professional Cracked By Alcatraz3222.exe

description	pid	process	target process
PID 3816 set thread context of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exeRemcos Professional Cracked By Alcatraz3222.exe

pid	process
3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
1420	Remcos Professional Cracked By Alcatraz3222.exe
1420	Remcos Professional Cracked By Alcatraz3222.exe
1420	Remcos Professional Cracked By Alcatraz3222.exe
1420	Remcos Professional Cracked By Alcatraz3222.exe
3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe
Token: SeDebugPrivilege	1576	taskhost.exe
Token: 33	1576	taskhost.exe
Token: SeIncBasePriorityPrivilege	1576	taskhost.exe
Token: 33	1576	taskhost.exe
Token: SeIncBasePriorityPrivilege	1576	taskhost.exe
Token: 33	1576	taskhost.exe
Token: SeIncBasePriorityPrivilege	1576	taskhost.exe
Token: 33	1576	taskhost.exe
Token: SeIncBasePriorityPrivilege	1576	taskhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exe

pid process

1420 Remcos Professional Cracked By Alcatraz3222.exe

pid	process
1420	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222-cleaned.execmd.exetaskhost.exe

description	pid	process	target process
PID 3816 wrote to memory of 1420	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	Remcos Professional Cracked By Alcatraz3222.exe
PID 3816 wrote to memory of 1420	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	Remcos Professional Cracked By Alcatraz3222.exe
PID 3816 wrote to memory of 1420	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	Remcos Professional Cracked By Alcatraz3222.exe
PID 3816 wrote to memory of 4048	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 4048	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 4048	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 3940	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 3940	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 3940	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3940 wrote to memory of 4344	3940	cmd.exe	reg.exe
PID 3940 wrote to memory of 4344	3940	cmd.exe	reg.exe
PID 3940 wrote to memory of 4344	3940	cmd.exe	reg.exe
PID 3816 wrote to memory of 4596	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 4596	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 4596	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	cmd.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 3816 wrote to memory of 1576	3816	Remcos Professional Cracked By Alcatraz3222-cleaned.exe	taskhost.exe
PID 1576 wrote to memory of 4796	1576	taskhost.exe	netsh.exe
PID 1576 wrote to memory of 4796	1576	taskhost.exe	netsh.exe
PID 1576 wrote to memory of 4796	1576	taskhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222-cleaned.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222-cleaned.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
2⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
3⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
2⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
Filesize
17.9MB

MD5
946125ea1dcd4d87c44b603f608dd64c

SHA1
48635fd472da387b60a43d4b65813516f99c8c55

SHA256
56b813058735d5f0980dae75394cba6e78d2096f142aaf7811251dbac7657bb1

SHA512
b3f42641a68cd4e7c365a031f6c1997e3c4efcf0fbf6b616341062b23f58e90d6a08d93ac249de1b53151a8dfb728da5cbdfd8d18e96892410038385fb96c7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/1420-147-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1420-160-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1420-149-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1420-150-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1420-151-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1420-152-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1420-153-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1420-154-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/1420-146-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1420-148-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1576-164-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1576-169-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/1576-171-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/1576-172-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1576-173-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/1576-175-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/3816-133-0x0000000000730000-0x0000000001912000-memory.dmp

Filesize
17.9MB

Download
memory/3816-134-0x0000000006170000-0x000000000620C000-memory.dmp

Filesize
624KB

Download
memory/3816-170-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads