njrat | c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

General

Target

0x000b0000000122e7-60.exe
Size

43KB
MD5

7bc43f36b07c8b1de174daf7f4ead29b
SHA1

700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31
SHA256

c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff
SHA512

54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a
SSDEEP

384:mZyCdFI1STss7yKSXfuGSOEdrpS2dzsIij+ZsNO3PlpJKkkjh/TzF7pWn6/greTf:8Fduk4smKSvupPrkYuXQ/oD3+L

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:19328

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	0x000b0000000122e7-60.exe

Executes dropped EXE 1 IoCs

pid	Process
1332	mrx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3812	0x000b0000000122e7-60.exe
1332	mrx.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe
Token: 33	1332	mrx.exe
Token: SeIncBasePriorityPrivilege	1332	mrx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 1332	3812	0x000b0000000122e7-60.exe	84
PID 3812 wrote to memory of 1332	3812	0x000b0000000122e7-60.exe	84
PID 3812 wrote to memory of 1332	3812	0x000b0000000122e7-60.exe	84

C:\Users\Admin\AppData\Local\Temp\0x000b0000000122e7-60.exe
"C:\Users\Admin\AppData\Local\Temp\0x000b0000000122e7-60.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\mrx.exe
  "C:\Users\Admin\AppData\Local\Temp\mrx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrx.exe

Filesize
43KB

MD5
7bc43f36b07c8b1de174daf7f4ead29b

SHA1
700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31

SHA256
c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff

SHA512
54169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a

Download Submit
memory/1332-147-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1332-148-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/1332-149-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/3812-133-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/3812-134-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/3812-135-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/3812-136-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/3812-137-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing