njrat | c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

General

Target

Respalo.exe
Size

101KB
MD5

964c11b64832dfc0228228dc3041ad30
SHA1

44340a21dd37096807675f8ca68a111031480d01
SHA256

c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793
SHA512

c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b
SSDEEP

1536:Q+CwHaUlNvEH6vBZkZcv9y5aD3BbOOzfso5fQT/inO3163BEDa:Q+voEBe35aD3BbOWso5fQDinQ63B+a

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

respaldo2424.duckdns.org:9090

Mutex

c959d74c7c9745cb

Attributes

reg_key
c959d74c7c9745cb
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

ploksdfgh.exeploksdfgh.exe

pid process

552 ploksdfgh.exe
1944 ploksdfgh.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
552	ploksdfgh.exe
1944	ploksdfgh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Respalo.exeploksdfgh.exeploksdfgh.exe

description	pid	process	target process
PID 1580 set thread context of 1512	1580	Respalo.exe	vbc.exe
PID 552 set thread context of 2028	552	ploksdfgh.exe	vbc.exe
PID 1944 set thread context of 364	1944	ploksdfgh.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2032 schtasks.exe
1724 schtasks.exe
960 schtasks.exe

pid	process
2032	schtasks.exe
1724	schtasks.exe
960	schtasks.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeDebugPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe
Token: 33	1512	vbc.exe
Token: SeIncBasePriorityPrivilege	1512	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Respalo.execmd.exetaskeng.exeploksdfgh.execmd.exeploksdfgh.exe

description	pid	process	target process
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 1512	1580	Respalo.exe	vbc.exe
PID 1580 wrote to memory of 268	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 268	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 268	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 268	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 1776	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 1776	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 1776	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 1776	1580	Respalo.exe	cmd.exe
PID 1776 wrote to memory of 1724	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1724	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1724	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1724	1776	cmd.exe	schtasks.exe
PID 1580 wrote to memory of 668	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 668	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 668	1580	Respalo.exe	cmd.exe
PID 1580 wrote to memory of 668	1580	Respalo.exe	cmd.exe
PID 1552 wrote to memory of 552	1552	taskeng.exe	ploksdfgh.exe
PID 1552 wrote to memory of 552	1552	taskeng.exe	ploksdfgh.exe
PID 1552 wrote to memory of 552	1552	taskeng.exe	ploksdfgh.exe
PID 1552 wrote to memory of 552	1552	taskeng.exe	ploksdfgh.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 2028	552	ploksdfgh.exe	vbc.exe
PID 552 wrote to memory of 1124	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 1124	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 1124	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 1124	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 1816	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 1816	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 1816	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 1816	552	ploksdfgh.exe	cmd.exe
PID 1816 wrote to memory of 960	1816	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 960	1816	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 960	1816	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 960	1816	cmd.exe	schtasks.exe
PID 552 wrote to memory of 936	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 936	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 936	552	ploksdfgh.exe	cmd.exe
PID 552 wrote to memory of 936	552	ploksdfgh.exe	cmd.exe
PID 1552 wrote to memory of 1944	1552	taskeng.exe	ploksdfgh.exe
PID 1552 wrote to memory of 1944	1552	taskeng.exe	ploksdfgh.exe
PID 1552 wrote to memory of 1944	1552	taskeng.exe	ploksdfgh.exe
PID 1552 wrote to memory of 1944	1552	taskeng.exe	ploksdfgh.exe
PID 1944 wrote to memory of 364	1944	ploksdfgh.exe	vbc.exe
PID 1944 wrote to memory of 364	1944	ploksdfgh.exe	vbc.exe
PID 1944 wrote to memory of 364	1944	ploksdfgh.exe	vbc.exe
PID 1944 wrote to memory of 364	1944	ploksdfgh.exe	vbc.exe
PID 1944 wrote to memory of 364	1944	ploksdfgh.exe	vbc.exe
PID 1944 wrote to memory of 364	1944	ploksdfgh.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Respalo.exe
"C:\Users\Admin\AppData\Local\Temp\Respalo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\ploksdfgh"
2⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Respalo.exe" "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe"
2⤵
PID:668

C:\Windows\system32\taskeng.exe
taskeng.exe {A7D7A97F-B6FA-4116-9FBD-034FF9D66E82} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\ploksdfgh"
3⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe" "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe"
3⤵
PID:936

C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\ploksdfgh"
3⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
3⤵
PID:1908

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe" "C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe"
3⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
Filesize
101KB

MD5
964c11b64832dfc0228228dc3041ad30

SHA1
44340a21dd37096807675f8ca68a111031480d01

SHA256
c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

SHA512
c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b

Download Submit
C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
Filesize
101KB

MD5
964c11b64832dfc0228228dc3041ad30

SHA1
44340a21dd37096807675f8ca68a111031480d01

SHA256
c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

SHA512
c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b

Download Submit
C:\Users\Admin\AppData\Roaming\ploksdfgh\ploksdfgh.exe
Filesize
101KB

MD5
964c11b64832dfc0228228dc3041ad30

SHA1
44340a21dd37096807675f8ca68a111031480d01

SHA256
c015c0871db838b7225f72b293fdb88dbcea09aa258cfb5fe18e986072e9f793

SHA512
c0e843952d423335491f68169d67575a67952b5b7efeb98632f6d66453b1cae1440232f7c5fa8e7cf92cc8a9f5c8fa22ca522264968affff3aedb2997045fb9b

Download Submit
memory/552-74-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/552-73-0x0000000000FD0000-0x0000000000FF0000-memory.dmp

Filesize
128KB

Download
memory/1512-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-70-0x0000000000870000-0x00000000008B0000-memory.dmp

Filesize
256KB

Download
memory/1512-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1512-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-69-0x0000000000870000-0x00000000008B0000-memory.dmp

Filesize
256KB

Download
memory/1512-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1580-54-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1580-56-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/1580-55-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/1944-86-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads