njrat | 5236fb4550f6a44d270227ef18dc6e06873e30181c3f30932dc5a117ab2a539a

General

Target

d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe
Size

208KB
MD5

b074e0cc3c448376b30b4f65805bb368
SHA1

f6f2c8e3d3066d72087aaab74c28a905a44858af
SHA256

d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277
SHA512

3e1cbf1ffa14614cb169e819bae5bdcbe54d96db3cea418c9e904af25d0d8bdf0b02a2e95d8ed2223a6e7e3e26336462327b4f54a9b94ef1c3f9c381583e4402
SSDEEP

384:3DVUq67iFRNItImlQNYlEi0jWro5kqNKk1d7U33r+Y7DTP6juEfU5PZQhht1XKvO:3pUZ7iFfuITm+5LdqHSjumT6vmp+BIl

Score

10^/10

njrat telegram evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

C2

0.tcp.sa.ngrok.io:11552

Mutex

11a5bc89b304534ead07ff50b25ffb52

Attributes

reg_key
11a5bc89b304534ead07ff50b25ffb52
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4268	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	0.vbs

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11a5bc89b304534ead07ff50b25ffb52.exe	Telegram Desktop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11a5bc89b304534ead07ff50b25ffb52.exe	Telegram Desktop.exe

Executes dropped EXE 2 IoCs

pid	Process
5052	0.vbs
1676	Telegram Desktop.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\11a5bc89b304534ead07ff50b25ffb52 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop.exe\" .."	Telegram Desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11a5bc89b304534ead07ff50b25ffb52 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop.exe\" .."	Telegram Desktop.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe
Token: 33	1676	Telegram Desktop.exe
Token: SeIncBasePriorityPrivilege	1676	Telegram Desktop.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3464	d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 5052	3464	d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe	85
PID 3464 wrote to memory of 5052	3464	d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe	85
PID 3464 wrote to memory of 5052	3464	d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe	85
PID 5052 wrote to memory of 1676	5052	0.vbs	91
PID 5052 wrote to memory of 1676	5052	0.vbs	91
PID 5052 wrote to memory of 1676	5052	0.vbs	91
PID 1676 wrote to memory of 4268	1676	Telegram Desktop.exe	94
PID 1676 wrote to memory of 4268	1676	Telegram Desktop.exe	94
PID 1676 wrote to memory of 4268	1676	Telegram Desktop.exe	94

C:\Users\Admin\AppData\Local\Temp\d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe
"C:\Users\Admin\AppData\Local\Temp\d8ea408260319428541bb48eb7fb0ad9f1c115d0faa243aefc27c28399eb5277.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\0.vbs
  C:\Users\Admin\AppData\Local\Temp\0.vbs
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Roaming\Telegram Desktop.exe
    "C:\Users\Admin\AppData\Roaming\Telegram Desktop.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Telegram Desktop.exe" "Telegram Desktop.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
23KB

MD5
1bf9b7c17625a359cc3a3df4bea971fe

SHA1
60fefb77194fc70149b8179c4f7aeba2bf573909

SHA256
7e1a8eb57cfeb670aa6ef3687ec970ad004c0dbe0c4a9957c7025cf3d30f2c54

SHA512
eb87c7f25f25614c3e7b2fe581e44de5d3018ecd8c5f1127c8bffacaa932c11cf1b04d5773e5d28c241a0d678d48ec0ef6faa5ee0c88270f1124904ce9276997

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
23KB

MD5
1bf9b7c17625a359cc3a3df4bea971fe

SHA1
60fefb77194fc70149b8179c4f7aeba2bf573909

SHA256
7e1a8eb57cfeb670aa6ef3687ec970ad004c0dbe0c4a9957c7025cf3d30f2c54

SHA512
eb87c7f25f25614c3e7b2fe581e44de5d3018ecd8c5f1127c8bffacaa932c11cf1b04d5773e5d28c241a0d678d48ec0ef6faa5ee0c88270f1124904ce9276997

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop.exe

Filesize
23KB

MD5
1bf9b7c17625a359cc3a3df4bea971fe

SHA1
60fefb77194fc70149b8179c4f7aeba2bf573909

SHA256
7e1a8eb57cfeb670aa6ef3687ec970ad004c0dbe0c4a9957c7025cf3d30f2c54

SHA512
eb87c7f25f25614c3e7b2fe581e44de5d3018ecd8c5f1127c8bffacaa932c11cf1b04d5773e5d28c241a0d678d48ec0ef6faa5ee0c88270f1124904ce9276997

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop.exe

Filesize
23KB

MD5
1bf9b7c17625a359cc3a3df4bea971fe

SHA1
60fefb77194fc70149b8179c4f7aeba2bf573909

SHA256
7e1a8eb57cfeb670aa6ef3687ec970ad004c0dbe0c4a9957c7025cf3d30f2c54

SHA512
eb87c7f25f25614c3e7b2fe581e44de5d3018ecd8c5f1127c8bffacaa932c11cf1b04d5773e5d28c241a0d678d48ec0ef6faa5ee0c88270f1124904ce9276997

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop.exe

Filesize
23KB

MD5
1bf9b7c17625a359cc3a3df4bea971fe

SHA1
60fefb77194fc70149b8179c4f7aeba2bf573909

SHA256
7e1a8eb57cfeb670aa6ef3687ec970ad004c0dbe0c4a9957c7025cf3d30f2c54

SHA512
eb87c7f25f25614c3e7b2fe581e44de5d3018ecd8c5f1127c8bffacaa932c11cf1b04d5773e5d28c241a0d678d48ec0ef6faa5ee0c88270f1124904ce9276997

Download Submit
memory/1676-153-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/1676-154-0x00000000018E0000-0x00000000018F0000-memory.dmp

Filesize
64KB

Download
memory/1676-155-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/1676-157-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/1676-158-0x00000000018E0000-0x00000000018F0000-memory.dmp

Filesize
64KB

Download
memory/5052-142-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/5052-141-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-152-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/5052-140-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads