Overview

overview

10

Static

static

10

rat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2023 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rat.exe

  • Size

    64KB

  • MD5

    8aa7c1cb0920d957870c48e543c8d0b5

  • SHA1

    a7ed7edffeb04b786617b28f7ffde11a84f4f855

  • SHA256

    014f0d19ffeff49332c29c1c4edf16523928c822857fbde256d6da21bf6424e8

  • SHA512

    7e5f9b77d1a97252b8d388bf42233649a9ecfb6ab6f41dd7756eab5c595c19e34673a670a0cc474e62cd3df0a1906eeb8dd500569dfad058680cd0eff3a509a1

  • SSDEEP

    1536:TvDmGXoN36tcQviFw1WeHpYBnvbWfLteF3nLrB9z3nGaF9bUS9vM:TLmGXoN36tcQviFCbHCBn6fWl9zWaF9

Score
10/10
njratmybottrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

MyBot

C2

127.0.0.1:54077

Mutex

steamwebhelper.exe

Attributes
  • reg_key

    steamwebhelper.exe

  • splitter

    |Ghost|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rat.exe
    "C:\Users\Admin\AppData\Local\Temp\rat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Users\Admin\steamwebhelper.exe
      "C:\Users\Admin\steamwebhelper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn "SteamWebService" /f
        3⤵
          PID:1320
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "SteamWebService" /tr C:\Users\Admin\steamwebhelper.exe
          3⤵
          • Creates scheduled task(s)
          PID:4140
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3944
    • C:\Users\Admin\steamwebhelper.exe
      C:\Users\Admin\steamwebhelper.exe
      1⤵
      • Executes dropped EXE
      PID:3196

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\steamwebhelper.exe
      Filesize

      64KB

      MD5

      8aa7c1cb0920d957870c48e543c8d0b5

      SHA1

      a7ed7edffeb04b786617b28f7ffde11a84f4f855

      SHA256

      014f0d19ffeff49332c29c1c4edf16523928c822857fbde256d6da21bf6424e8

      SHA512

      7e5f9b77d1a97252b8d388bf42233649a9ecfb6ab6f41dd7756eab5c595c19e34673a670a0cc474e62cd3df0a1906eeb8dd500569dfad058680cd0eff3a509a1

      Download Submit
    • C:\Users\Admin\steamwebhelper.exe
      Filesize

      64KB

      MD5

      8aa7c1cb0920d957870c48e543c8d0b5

      SHA1

      a7ed7edffeb04b786617b28f7ffde11a84f4f855

      SHA256

      014f0d19ffeff49332c29c1c4edf16523928c822857fbde256d6da21bf6424e8

      SHA512

      7e5f9b77d1a97252b8d388bf42233649a9ecfb6ab6f41dd7756eab5c595c19e34673a670a0cc474e62cd3df0a1906eeb8dd500569dfad058680cd0eff3a509a1

      Download Submit
    • C:\Users\Admin\steamwebhelper.exe
      Filesize

      64KB

      MD5

      8aa7c1cb0920d957870c48e543c8d0b5

      SHA1

      a7ed7edffeb04b786617b28f7ffde11a84f4f855

      SHA256

      014f0d19ffeff49332c29c1c4edf16523928c822857fbde256d6da21bf6424e8

      SHA512

      7e5f9b77d1a97252b8d388bf42233649a9ecfb6ab6f41dd7756eab5c595c19e34673a670a0cc474e62cd3df0a1906eeb8dd500569dfad058680cd0eff3a509a1

      Download Submit
    • C:\Users\Admin\steamwebhelper.exe
      Filesize

      64KB

      MD5

      8aa7c1cb0920d957870c48e543c8d0b5

      SHA1

      a7ed7edffeb04b786617b28f7ffde11a84f4f855

      SHA256

      014f0d19ffeff49332c29c1c4edf16523928c822857fbde256d6da21bf6424e8

      SHA512

      7e5f9b77d1a97252b8d388bf42233649a9ecfb6ab6f41dd7756eab5c595c19e34673a670a0cc474e62cd3df0a1906eeb8dd500569dfad058680cd0eff3a509a1

      Download Submit
    • memory/336-162-0x00000000012B0000-0x00000000012C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/336-161-0x0000000074830000-0x0000000074DE1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/336-177-0x00000000012B0000-0x00000000012C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/336-163-0x00000000012B0000-0x00000000012C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/336-157-0x0000000074830000-0x0000000074DE1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/336-159-0x00000000012B0000-0x00000000012C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/336-160-0x0000000074830000-0x0000000074DE1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3944-165-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-173-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-176-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-164-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-175-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-166-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-170-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-172-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-171-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3944-174-0x0000029FC73D0000-0x0000029FC73D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4784-133-0x0000000074830000-0x0000000074DE1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4784-136-0x0000000074830000-0x0000000074DE1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4784-158-0x0000000074830000-0x0000000074DE1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4784-135-0x0000000000E50000-0x0000000000E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4784-134-0x0000000074830000-0x0000000074DE1000-memory.dmp
      Filesize

      5.7MB

      Download