njrat | 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498

General

Target

01a15ebeb25b4396bf1f943a9ff2f240.exe
Size

99KB
MD5

01a15ebeb25b4396bf1f943a9ff2f240
SHA1

45464e9c127300244902f3628b3b11e34c0e8530
SHA256

60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498
SHA512

18645b8a88275d4ea01c0878900c0e3a4983495a30f818fa1641e4f74c6ac3547d07d3268ba9540847b18671cbcb06f0a73a9544988710a0b67e982863b13578
SSDEEP

1536:8WxWs7X4DWTjujzDwuKT3CePS7PoZK2K3r2gGHAfT+qFHuVp6ryQy38a:pveWTjuj/KT3COS7PoM6ghvOV8r28a

Score

10^/10

njrat hacker evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACKER

C2

hakim32.ddns.net:2000

numbers-characterization.at.ply.gg:45038

Mutex

ba79c07aec28b61ac839eeb4fafa3141

Attributes

reg_key
ba79c07aec28b61ac839eeb4fafa3141
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

3604 netsh.exe
3504 netsh.exe
2800 netsh.exe

pid	process
3604	netsh.exe
3504	netsh.exe
2800	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

01a15ebeb25b4396bf1f943a9ff2f240.exe3421.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	01a15ebeb25b4396bf1f943a9ff2f240.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	3421.exe

Drops startup file 4 IoCs

Processes:

1 (1).exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	1 (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	1 (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba79c07aec28b61ac839eeb4fafa3141Windows Update.exe	1 (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba79c07aec28b61ac839eeb4fafa3141Windows Update.exe	1 (1).exe

Executes dropped EXE 2 IoCs

Processes:

3421.exe1 (1).exe

pid process

1060 3421.exe
3656 1 (1).exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1060	3421.exe
3656	1 (1).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1 (1).exe

pid	process
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe
3656	1 (1).exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1 (1).exe

pid process

3656 1 (1).exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

1 (1).exe

description	pid	process
Token: SeDebugPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe
Token: 33	3656	1 (1).exe
Token: SeIncBasePriorityPrivilege	3656	1 (1).exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

01a15ebeb25b4396bf1f943a9ff2f240.exe3421.execmd.exe1 (1).exe

description	pid	process	target process
PID 4256 wrote to memory of 1060	4256	01a15ebeb25b4396bf1f943a9ff2f240.exe	3421.exe
PID 4256 wrote to memory of 1060	4256	01a15ebeb25b4396bf1f943a9ff2f240.exe	3421.exe
PID 4256 wrote to memory of 1060	4256	01a15ebeb25b4396bf1f943a9ff2f240.exe	3421.exe
PID 4256 wrote to memory of 3656	4256	01a15ebeb25b4396bf1f943a9ff2f240.exe	1 (1).exe
PID 4256 wrote to memory of 3656	4256	01a15ebeb25b4396bf1f943a9ff2f240.exe	1 (1).exe
PID 4256 wrote to memory of 3656	4256	01a15ebeb25b4396bf1f943a9ff2f240.exe	1 (1).exe
PID 1060 wrote to memory of 4140	1060	3421.exe	cmd.exe
PID 1060 wrote to memory of 4140	1060	3421.exe	cmd.exe
PID 4140 wrote to memory of 3464	4140	cmd.exe	mode.com
PID 4140 wrote to memory of 3464	4140	cmd.exe	mode.com
PID 4140 wrote to memory of 1320	4140	cmd.exe	chcp.com
PID 4140 wrote to memory of 1320	4140	cmd.exe	chcp.com
PID 3656 wrote to memory of 3604	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 3604	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 3604	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 2800	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 2800	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 2800	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 3504	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 3504	3656	1 (1).exe	netsh.exe
PID 3656 wrote to memory of 3504	3656	1 (1).exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\01a15ebeb25b4396bf1f943a9ff2f240.exe
"C:\Users\Admin\AppData\Local\Temp\01a15ebeb25b4396bf1f943a9ff2f240.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\3421.exe
"C:\Users\Admin\AppData\Local\Temp\3421.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8EB3.tmp\8EB4.tmp\8EB5.bat C:\Users\Admin\AppData\Local\Temp\3421.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\system32\mode.com
mode 90,25
4⤵
PID:3464

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\1 (1).exe
"C:\Users\Admin\AppData\Local\Temp\1 (1).exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1 (1).exe" "1 (1).exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3604

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1 (1).exe" "1 (1).exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3504

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\1 (1).exe"
3⤵
- Modifies Windows Firewall
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1 (1).exe
Filesize
93KB

MD5
57b8df6044bbfa7706f1b900216d1da0

SHA1
a21f6e715a41e61820ebb3e428242f848e0cd4c9

SHA256
8a429aab8c6fb77e858386f53694c6239f7088ed58ac73c25bb2969cbf87cb3a

SHA512
a4670d23fe66c7ce53ccc79342b9927e7f08e62401d105116517d7e75741eae852eec1d4b4c11ea8a1e5213ed6ddc2dd74e0fe8ac45ece46f5e12bac8f6e5ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1 (1).exe
Filesize
93KB

MD5
57b8df6044bbfa7706f1b900216d1da0

SHA1
a21f6e715a41e61820ebb3e428242f848e0cd4c9

SHA256
8a429aab8c6fb77e858386f53694c6239f7088ed58ac73c25bb2969cbf87cb3a

SHA512
a4670d23fe66c7ce53ccc79342b9927e7f08e62401d105116517d7e75741eae852eec1d4b4c11ea8a1e5213ed6ddc2dd74e0fe8ac45ece46f5e12bac8f6e5ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1 (1).exe
Filesize
93KB

MD5
57b8df6044bbfa7706f1b900216d1da0

SHA1
a21f6e715a41e61820ebb3e428242f848e0cd4c9

SHA256
8a429aab8c6fb77e858386f53694c6239f7088ed58ac73c25bb2969cbf87cb3a

SHA512
a4670d23fe66c7ce53ccc79342b9927e7f08e62401d105116517d7e75741eae852eec1d4b4c11ea8a1e5213ed6ddc2dd74e0fe8ac45ece46f5e12bac8f6e5ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3421.exe
Filesize
94KB

MD5
de02aa6b60fe9b3102998de3c29bf1bd

SHA1
58bbe21b42de1e8bf0ac685d32a240b4fd2a2457

SHA256
ec75b4225e99c2a575d591277e77163686f1738451ae35fdc24ad34be2610813

SHA512
ed93896e62ced577e5471ce4a598eb4a1d8fbc9a292796a3fe053bcfe87224fbb2ae0186a9a1179085b5072ee54e23655b35eecf802a121dd35792e10d188284

Download Submit
C:\Users\Admin\AppData\Local\Temp\3421.exe
Filesize
94KB

MD5
de02aa6b60fe9b3102998de3c29bf1bd

SHA1
58bbe21b42de1e8bf0ac685d32a240b4fd2a2457

SHA256
ec75b4225e99c2a575d591277e77163686f1738451ae35fdc24ad34be2610813

SHA512
ed93896e62ced577e5471ce4a598eb4a1d8fbc9a292796a3fe053bcfe87224fbb2ae0186a9a1179085b5072ee54e23655b35eecf802a121dd35792e10d188284

Download Submit
C:\Users\Admin\AppData\Local\Temp\3421.exe
Filesize
94KB

MD5
de02aa6b60fe9b3102998de3c29bf1bd

SHA1
58bbe21b42de1e8bf0ac685d32a240b4fd2a2457

SHA256
ec75b4225e99c2a575d591277e77163686f1738451ae35fdc24ad34be2610813

SHA512
ed93896e62ced577e5471ce4a598eb4a1d8fbc9a292796a3fe053bcfe87224fbb2ae0186a9a1179085b5072ee54e23655b35eecf802a121dd35792e10d188284

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EB3.tmp\8EB4.tmp\8EB5.bat
Filesize
6KB

MD5
18f90870a2ad04c6531f4e1116097df7

SHA1
9309c2f6ad92b12ede683a6718bc02e34accc95f

SHA256
fa8379e93e5db4925ece29af0534741c9579a8e5d88535fcc39aed841fa3d195

SHA512
404f7a6ab4518b6489b4f11d26a8911e903dfbf89160d1eb26d726f60da6a2542c6ed5429b6ccb127182fffeec04c429d9657ef8a781f90ce9a3663f728d09b4

Download Submit
memory/3656-154-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/4256-133-0x00000000009F0000-0x0000000000A10000-memory.dmp

Filesize
128KB

Download
memory/4256-149-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads