njrat | 9d4c6f838ce6d86d7975d59dbd6158120503b4c247fbb20cad64d44eacdfe8a5

Resubmissions

25-04-2023 20:24

230425-y64qrsef6z 10

25-04-2023 20:21

230425-y47pmsef5y 10

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-04-2023 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sms.exe
Size

9.6MB
MD5

139763e38f11cee5331a742013d70b7a
SHA1

6105a21e8e87b8d630c2954875dc9ad5307659e2
SHA256

9d4c6f838ce6d86d7975d59dbd6158120503b4c247fbb20cad64d44eacdfe8a5
SHA512

227632adabfdb48939226e56ae77dd6bdd3f3c25d9f019a82f1e695b7fdad8cd3bf484387b9e076cffee8170e21ec5184b8642289add9cf3343cd34ad02587ca
SSDEEP

196608:YtseIs9onJ5hrZERlyiU8AdZYJERkrTmkReTZqbI6VQSTX:/s9c5hlERJAdZYyerqmeWQI

Score

10^/10

njrat hacked evasion persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

service.net-freaks.com:21649

Mutex

57709d3e7e090c0adae95ca5ed2afedd

Attributes

reg_key
57709d3e7e090c0adae95ca5ed2afedd
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
360	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2004	sms.exe
616	win.exe
960	sms.exe

Loads dropped DLL 3 IoCs

pid	Process
812	sms.exe
812	sms.exe
960	sms.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\57709d3e7e090c0adae95ca5ed2afedd = "\"C:\\ProgramData\\sms\\sms\\1.0.0.0\\temp\\win.exe\" .."	win.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\57709d3e7e090c0adae95ca5ed2afedd = "\"C:\\ProgramData\\sms\\sms\\1.0.0.0\\temp\\win.exe\" .."	win.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000012306-58.dat	pyinstaller
behavioral1/files/0x0008000000012306-60.dat	pyinstaller
behavioral1/files/0x0008000000012306-69.dat	pyinstaller
behavioral1/files/0x0008000000012306-93.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe
Token: 33	616	win.exe
Token: SeIncBasePriorityPrivilege	616	win.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2004	812	sms.exe	28
PID 812 wrote to memory of 2004	812	sms.exe	28
PID 812 wrote to memory of 2004	812	sms.exe	28
PID 812 wrote to memory of 2004	812	sms.exe	28
PID 812 wrote to memory of 616	812	sms.exe	30
PID 812 wrote to memory of 616	812	sms.exe	30
PID 812 wrote to memory of 616	812	sms.exe	30
PID 812 wrote to memory of 616	812	sms.exe	30
PID 2004 wrote to memory of 960	2004	sms.exe	31
PID 2004 wrote to memory of 960	2004	sms.exe	31
PID 2004 wrote to memory of 960	2004	sms.exe	31
PID 616 wrote to memory of 360	616	win.exe	32
PID 616 wrote to memory of 360	616	win.exe	32
PID 616 wrote to memory of 360	616	win.exe	32
PID 616 wrote to memory of 360	616	win.exe	32

C:\Users\Admin\AppData\Local\Temp\sms.exe
"C:\Users\Admin\AppData\Local\Temp\sms.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812
- C:\ProgramData\sms\sms\1.0.0.0\temp\sms.exe
  "C:\ProgramData\sms\sms\1.0.0.0\temp\sms.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\ProgramData\sms\sms\1.0.0.0\temp\sms.exe
    "C:\ProgramData\sms\sms\1.0.0.0\temp\sms.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:960
- C:\ProgramData\sms\sms\1.0.0.0\temp\win.exe
  "C:\ProgramData\sms\sms\1.0.0.0\temp\win.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\sms\sms\1.0.0.0\temp\win.exe" "win.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sms\sms\1.0.0.0\temp\sms.exe

Filesize
7.0MB

MD5
f48eea2e5e32419eaa34a752cb2c6122

SHA1
4244543208bfb5bdf83a6a392ac70f2cbd10c1c1

SHA256
483f19710589564e35ef1266a00855fb55574f60b7dc92590eb7a7f2315da1d8

SHA512
45c72522ddc726173576ffebc1f18c372a638a944b15664bb1ee2ea5385cd57bc5325aa6b0b63a569a089c57273bf308fb2581f536c1ae7df75d3ea08288d315

Download Submit
C:\ProgramData\sms\sms\1.0.0.0\temp\sms.exe

Filesize
7.0MB

MD5
f48eea2e5e32419eaa34a752cb2c6122

SHA1
4244543208bfb5bdf83a6a392ac70f2cbd10c1c1

SHA256
483f19710589564e35ef1266a00855fb55574f60b7dc92590eb7a7f2315da1d8

SHA512
45c72522ddc726173576ffebc1f18c372a638a944b15664bb1ee2ea5385cd57bc5325aa6b0b63a569a089c57273bf308fb2581f536c1ae7df75d3ea08288d315

Download Submit
C:\ProgramData\sms\sms\1.0.0.0\temp\sms.exe

Filesize
7.0MB

MD5
f48eea2e5e32419eaa34a752cb2c6122

SHA1
4244543208bfb5bdf83a6a392ac70f2cbd10c1c1

SHA256
483f19710589564e35ef1266a00855fb55574f60b7dc92590eb7a7f2315da1d8

SHA512
45c72522ddc726173576ffebc1f18c372a638a944b15664bb1ee2ea5385cd57bc5325aa6b0b63a569a089c57273bf308fb2581f536c1ae7df75d3ea08288d315

Download Submit
C:\ProgramData\sms\sms\1.0.0.0\temp\win.exe

Filesize
2.6MB

MD5
475c322247c3692e2d9f7b4b9a81aaeb

SHA1
af72cd7fedb3bcc33ccbfa9fa891e7ee9dbd45ae

SHA256
ee02117e6feeac823a164efaa5dc48710c91a46a571eabc64f515b81252caf0a

SHA512
1e8d72e218b1bc27691662d18ba609d4568e07a322717c2487fa243306601f61b2618468432ce5b530504a0598f5a82b5807f57d8a03e0c32ba57d032f219b28

Download Submit
C:\ProgramData\sms\sms\1.0.0.0\temp\win.exe

Filesize
2.6MB

MD5
475c322247c3692e2d9f7b4b9a81aaeb

SHA1
af72cd7fedb3bcc33ccbfa9fa891e7ee9dbd45ae

SHA256
ee02117e6feeac823a164efaa5dc48710c91a46a571eabc64f515b81252caf0a

SHA512
1e8d72e218b1bc27691662d18ba609d4568e07a322717c2487fa243306601f61b2618468432ce5b530504a0598f5a82b5807f57d8a03e0c32ba57d032f219b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
\ProgramData\sms\sms\1.0.0.0\temp\sms.exe

Filesize
7.0MB

MD5
f48eea2e5e32419eaa34a752cb2c6122

SHA1
4244543208bfb5bdf83a6a392ac70f2cbd10c1c1

SHA256
483f19710589564e35ef1266a00855fb55574f60b7dc92590eb7a7f2315da1d8

SHA512
45c72522ddc726173576ffebc1f18c372a638a944b15664bb1ee2ea5385cd57bc5325aa6b0b63a569a089c57273bf308fb2581f536c1ae7df75d3ea08288d315

Download Submit
\ProgramData\sms\sms\1.0.0.0\temp\win.exe

Filesize
2.6MB

MD5
475c322247c3692e2d9f7b4b9a81aaeb

SHA1
af72cd7fedb3bcc33ccbfa9fa891e7ee9dbd45ae

SHA256
ee02117e6feeac823a164efaa5dc48710c91a46a571eabc64f515b81252caf0a

SHA512
1e8d72e218b1bc27691662d18ba609d4568e07a322717c2487fa243306601f61b2618468432ce5b530504a0598f5a82b5807f57d8a03e0c32ba57d032f219b28

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20042\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
memory/616-68-0x0000000000840000-0x0000000000ADC000-memory.dmp

Filesize
2.6MB

Download
memory/616-96-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/616-97-0x00000000093A0000-0x00000000093E0000-memory.dmp

Filesize
256KB

Download
memory/616-99-0x00000000093A0000-0x00000000093E0000-memory.dmp

Filesize
256KB

Download
memory/812-54-0x00000000001F0000-0x0000000000B9A000-memory.dmp

Filesize
9.7MB

Download
memory/812-55-0x0000000005530000-0x0000000005570000-memory.dmp

Filesize
256KB

Download
memory/812-98-0x0000000005530000-0x0000000005570000-memory.dmp

Filesize
256KB

Download