njrat | a54a3ca8ce01f7e9855d4d47d35bc82520ebd8d16a77df24e398b220d86d445d

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/06/2023, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4cfbb0106571122d1cc4364513e7803.exe
Size

596KB
MD5

c4cfbb0106571122d1cc4364513e7803
SHA1

1a3a7b1357ed56b0183d03ee4b859659cc68f986
SHA256

a54a3ca8ce01f7e9855d4d47d35bc82520ebd8d16a77df24e398b220d86d445d
SHA512

36a13d91a28d051fbf7c611d3c6ef7014ee8bcddc2ce5bca72f094f70bd0dbfb99a50025455203f0fabb60c61afc89aabf2e41f70aac5349372a146500eaefaa
SSDEEP

12288:ugZXEAO/BUdG3gVdt7KT4OIC4J84wHM5Qiu62PJr+ymhm:ugZXoZUTVdt7KTxoSs5QhCymhm

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

2.tcp.eu.ngrok.io:19328

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
772	mrx.exe
996	mrx.exe

Loads dropped DLL 4 IoCs

pid	Process
1324	c4cfbb0106571122d1cc4364513e7803.exe
1324	c4cfbb0106571122d1cc4364513e7803.exe
1324	c4cfbb0106571122d1cc4364513e7803.exe
772	mrx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
996	mrx.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe
Token: 33	996	mrx.exe
Token: SeIncBasePriorityPrivilege	996	mrx.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 772	1324	c4cfbb0106571122d1cc4364513e7803.exe	28
PID 1324 wrote to memory of 772	1324	c4cfbb0106571122d1cc4364513e7803.exe	28
PID 1324 wrote to memory of 772	1324	c4cfbb0106571122d1cc4364513e7803.exe	28
PID 1324 wrote to memory of 772	1324	c4cfbb0106571122d1cc4364513e7803.exe	28
PID 772 wrote to memory of 996	772	mrx.exe	29
PID 772 wrote to memory of 996	772	mrx.exe	29
PID 772 wrote to memory of 996	772	mrx.exe	29
PID 772 wrote to memory of 996	772	mrx.exe	29

C:\Users\Admin\AppData\Local\Temp\c4cfbb0106571122d1cc4364513e7803.exe
"C:\Users\Admin\AppData\Local\Temp\c4cfbb0106571122d1cc4364513e7803.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\mrx.exe
    "C:\Users\Admin\AppData\Local\Temp\mrx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
\Users\Admin\AppData\Local\Temp\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
memory/772-72-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/772-71-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/996-80-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/996-82-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/996-83-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/1324-58-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1324-81-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download