njrat | 75b8f18364353a9f155758cd49aa1e92dec0a13a37582e7b4d76a263391210ea

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe
Size

93KB
MD5

2c2a5b46bd15e13fd2f3df4c06457578
SHA1

4ef3481467fc0ce0bb1df5b627d218ef2ae2fc58
SHA256

89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875
SHA512

1aade6ac068ee949930be301d9e9ddec20c4809e6c0463198e76ae7ba423ea1dac0b1db8195886dd9e7c33cf5d9616ab6d52c6058349cf67497192be5ba8ad8a
SSDEEP

768:9Y3h+TnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3WsGdpogM:y+7kVbPGHz88Eb71pjEwzGi1dDyDogS

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

4.tcp.eu.ngrok.io:17194

Mutex

a524b09bfc2eaa9fdc9d91ea93858bfc

Attributes

reg_key
a524b09bfc2eaa9fdc9d91ea93858bfc
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2920	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe
2060	89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe
2972	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe
Token: 33	2972	server.exe
Token: SeIncBasePriorityPrivilege	2972	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2972	2060	89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe	28
PID 2060 wrote to memory of 2972	2060	89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe	28
PID 2060 wrote to memory of 2972	2060	89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe	28
PID 2060 wrote to memory of 2972	2060	89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe	28
PID 2972 wrote to memory of 2920	2972	server.exe	29
PID 2972 wrote to memory of 2920	2972	server.exe	29
PID 2972 wrote to memory of 2920	2972	server.exe	29
PID 2972 wrote to memory of 2920	2972	server.exe	29

C:\Users\Admin\AppData\Local\Temp\89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe
"C:\Users\Admin\AppData\Local\Temp\89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
d43c5b07c128b116b7bc8faf7b8efa9d

SHA1
dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

SHA256
80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

SHA512
618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
2c2a5b46bd15e13fd2f3df4c06457578

SHA1
4ef3481467fc0ce0bb1df5b627d218ef2ae2fc58

SHA256
89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875

SHA512
1aade6ac068ee949930be301d9e9ddec20c4809e6c0463198e76ae7ba423ea1dac0b1db8195886dd9e7c33cf5d9616ab6d52c6058349cf67497192be5ba8ad8a

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
2c2a5b46bd15e13fd2f3df4c06457578

SHA1
4ef3481467fc0ce0bb1df5b627d218ef2ae2fc58

SHA256
89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875

SHA512
1aade6ac068ee949930be301d9e9ddec20c4809e6c0463198e76ae7ba423ea1dac0b1db8195886dd9e7c33cf5d9616ab6d52c6058349cf67497192be5ba8ad8a

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
2c2a5b46bd15e13fd2f3df4c06457578

SHA1
4ef3481467fc0ce0bb1df5b627d218ef2ae2fc58

SHA256
89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875

SHA512
1aade6ac068ee949930be301d9e9ddec20c4809e6c0463198e76ae7ba423ea1dac0b1db8195886dd9e7c33cf5d9616ab6d52c6058349cf67497192be5ba8ad8a

Download Submit
\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
2c2a5b46bd15e13fd2f3df4c06457578

SHA1
4ef3481467fc0ce0bb1df5b627d218ef2ae2fc58

SHA256
89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875

SHA512
1aade6ac068ee949930be301d9e9ddec20c4809e6c0463198e76ae7ba423ea1dac0b1db8195886dd9e7c33cf5d9616ab6d52c6058349cf67497192be5ba8ad8a

Download Submit
\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
2c2a5b46bd15e13fd2f3df4c06457578

SHA1
4ef3481467fc0ce0bb1df5b627d218ef2ae2fc58

SHA256
89a06a16c73f4cee629bc145fa8ca6dc2003b4c3a3ff4a0c1cec473ec42ae875

SHA512
1aade6ac068ee949930be301d9e9ddec20c4809e6c0463198e76ae7ba423ea1dac0b1db8195886dd9e7c33cf5d9616ab6d52c6058349cf67497192be5ba8ad8a

Download Submit
memory/2060-54-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-56-0x0000000000A20000-0x0000000000A60000-memory.dmp

Filesize
256KB

Download
memory/2060-68-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-55-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2972-69-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2972-70-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2972-75-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2972-74-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download