njrat | fdbde655dc835a93bf7ebd5ce18dfbae737ce99ea9fd041f60138ee9b8f0d0f2

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e00f576601e991f42f039363fb8461ba.exe
Size

181KB
MD5

e00f576601e991f42f039363fb8461ba
SHA1

29b5958ebe505cc6638eb37531e944e7ea895203
SHA256

fdbde655dc835a93bf7ebd5ce18dfbae737ce99ea9fd041f60138ee9b8f0d0f2
SHA512

05e0f3a39bccfc192e28453c67d3f020403d6c51489e196d94a0889163eb6c1127879a093622805194a5d5a2debc4a743fb82e9570afd90adb792afc2a0c4ace
SSDEEP

3072:KahKyd2n31/5GWp1icKAArDZz4N9GhbkrNEkE8/16MXsnsp:KahOTp0yN90QEM/IM82

Score

10^/10

njrat cursed evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Cursed

2.tcp.eu.ngrok.io:10289

Mutex

910556b16efeeddcdf7a775cbd4b8f09

Attributes

reg_key
910556b16efeeddcdf7a775cbd4b8f09
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2892	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\910556b16efeeddcdf7a775cbd4b8f09.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\910556b16efeeddcdf7a775cbd4b8f09.exe	server.exe

Executes dropped EXE 3 IoCs

pid	Process
2532	Gmag.exe
2936	server.exe
2472	XPLoader.exe

Loads dropped DLL 3 IoCs

pid	Process
2532	Gmag.exe
2216	e00f576601e991f42f039363fb8461ba.exe
1308	Process not Found

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e00f576601e991f42f039363fb8461ba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\910556b16efeeddcdf7a775cbd4b8f09 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\910556b16efeeddcdf7a775cbd4b8f09 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	D:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2720	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe
2936	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2936	server.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	server.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe
Token: 33	2936	server.exe
Token: SeIncBasePriorityPrivilege	2936	server.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2532	2216	e00f576601e991f42f039363fb8461ba.exe	28
PID 2216 wrote to memory of 2532	2216	e00f576601e991f42f039363fb8461ba.exe	28
PID 2216 wrote to memory of 2532	2216	e00f576601e991f42f039363fb8461ba.exe	28
PID 2216 wrote to memory of 2532	2216	e00f576601e991f42f039363fb8461ba.exe	28
PID 2532 wrote to memory of 2936	2532	Gmag.exe	29
PID 2532 wrote to memory of 2936	2532	Gmag.exe	29
PID 2532 wrote to memory of 2936	2532	Gmag.exe	29
PID 2532 wrote to memory of 2936	2532	Gmag.exe	29
PID 2216 wrote to memory of 2472	2216	e00f576601e991f42f039363fb8461ba.exe	30
PID 2216 wrote to memory of 2472	2216	e00f576601e991f42f039363fb8461ba.exe	30
PID 2216 wrote to memory of 2472	2216	e00f576601e991f42f039363fb8461ba.exe	30
PID 2936 wrote to memory of 2892	2936	server.exe	32
PID 2936 wrote to memory of 2892	2936	server.exe	32
PID 2936 wrote to memory of 2892	2936	server.exe	32
PID 2936 wrote to memory of 2892	2936	server.exe	32
PID 2936 wrote to memory of 2720	2936	server.exe	34
PID 2936 wrote to memory of 2720	2936	server.exe	34
PID 2936 wrote to memory of 2720	2936	server.exe	34
PID 2936 wrote to memory of 2720	2936	server.exe	34

C:\Users\Admin\AppData\Local\Temp\e00f576601e991f42f039363fb8461ba.exe
"C:\Users\Admin\AppData\Local\Temp\e00f576601e991f42f039363fb8461ba.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gmag.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gmag.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Exsample.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLoader.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLoader.exe
  2⤵
  - Executes dropped EXE
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gmag.exe

Filesize
37KB

MD5
075a4132cef39d9b328347733f039463

SHA1
bc5a627bd9ebb2ddad504ff312b37f1f148953aa

SHA256
f4571e614f18225b4f4d5bc819cbc0db18af5adb401e252e0b277861f39f2ac2

SHA512
efc3bd0cd018dc37f5a89f62241d67b0da04b467f7e2cf21acc8c82233600d22a3a41527e07404ad6495d70068476bf549de556b87d922341f09e8db56541674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gmag.exe

Filesize
37KB

MD5
075a4132cef39d9b328347733f039463

SHA1
bc5a627bd9ebb2ddad504ff312b37f1f148953aa

SHA256
f4571e614f18225b4f4d5bc819cbc0db18af5adb401e252e0b277861f39f2ac2

SHA512
efc3bd0cd018dc37f5a89f62241d67b0da04b467f7e2cf21acc8c82233600d22a3a41527e07404ad6495d70068476bf549de556b87d922341f09e8db56541674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLoader.exe

Filesize
28KB

MD5
c2b360524c63fd491cc2bc82c9185705

SHA1
83d72908dcb76d58a6df191f5db37f0ee954aa3c

SHA256
522eeb52ca95aba91fbe76b06bb0d1e1bfd5c6b03f1a250931d115d581b0bb44

SHA512
8e72764f838a15f4541bf8a32a4b0cf58828223fd14f84b52c359fac775c1bb9b08e56201ba9ac3c16a2bacdfae5ebf1c5bccab2656d95467ce525285b6ce012

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLoader.exe

Filesize
28KB

MD5
c2b360524c63fd491cc2bc82c9185705

SHA1
83d72908dcb76d58a6df191f5db37f0ee954aa3c

SHA256
522eeb52ca95aba91fbe76b06bb0d1e1bfd5c6b03f1a250931d115d581b0bb44

SHA512
8e72764f838a15f4541bf8a32a4b0cf58828223fd14f84b52c359fac775c1bb9b08e56201ba9ac3c16a2bacdfae5ebf1c5bccab2656d95467ce525285b6ce012

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
37KB

MD5
075a4132cef39d9b328347733f039463

SHA1
bc5a627bd9ebb2ddad504ff312b37f1f148953aa

SHA256
f4571e614f18225b4f4d5bc819cbc0db18af5adb401e252e0b277861f39f2ac2

SHA512
efc3bd0cd018dc37f5a89f62241d67b0da04b467f7e2cf21acc8c82233600d22a3a41527e07404ad6495d70068476bf549de556b87d922341f09e8db56541674

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
37KB

MD5
075a4132cef39d9b328347733f039463

SHA1
bc5a627bd9ebb2ddad504ff312b37f1f148953aa

SHA256
f4571e614f18225b4f4d5bc819cbc0db18af5adb401e252e0b277861f39f2ac2

SHA512
efc3bd0cd018dc37f5a89f62241d67b0da04b467f7e2cf21acc8c82233600d22a3a41527e07404ad6495d70068476bf549de556b87d922341f09e8db56541674

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
37KB

MD5
075a4132cef39d9b328347733f039463

SHA1
bc5a627bd9ebb2ddad504ff312b37f1f148953aa

SHA256
f4571e614f18225b4f4d5bc819cbc0db18af5adb401e252e0b277861f39f2ac2

SHA512
efc3bd0cd018dc37f5a89f62241d67b0da04b467f7e2cf21acc8c82233600d22a3a41527e07404ad6495d70068476bf549de556b87d922341f09e8db56541674

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLoader.exe

Filesize
28KB

MD5
c2b360524c63fd491cc2bc82c9185705

SHA1
83d72908dcb76d58a6df191f5db37f0ee954aa3c

SHA256
522eeb52ca95aba91fbe76b06bb0d1e1bfd5c6b03f1a250931d115d581b0bb44

SHA512
8e72764f838a15f4541bf8a32a4b0cf58828223fd14f84b52c359fac775c1bb9b08e56201ba9ac3c16a2bacdfae5ebf1c5bccab2656d95467ce525285b6ce012

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\XPLoader.exe

Filesize
28KB

MD5
c2b360524c63fd491cc2bc82c9185705

SHA1
83d72908dcb76d58a6df191f5db37f0ee954aa3c

SHA256
522eeb52ca95aba91fbe76b06bb0d1e1bfd5c6b03f1a250931d115d581b0bb44

SHA512
8e72764f838a15f4541bf8a32a4b0cf58828223fd14f84b52c359fac775c1bb9b08e56201ba9ac3c16a2bacdfae5ebf1c5bccab2656d95467ce525285b6ce012

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
37KB

MD5
075a4132cef39d9b328347733f039463

SHA1
bc5a627bd9ebb2ddad504ff312b37f1f148953aa

SHA256
f4571e614f18225b4f4d5bc819cbc0db18af5adb401e252e0b277861f39f2ac2

SHA512
efc3bd0cd018dc37f5a89f62241d67b0da04b467f7e2cf21acc8c82233600d22a3a41527e07404ad6495d70068476bf549de556b87d922341f09e8db56541674

Download Submit
memory/2472-29-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

Filesize
9.9MB

Download
memory/2472-28-0x000000013F960000-0x000000013F96A000-memory.dmp

Filesize
40KB

Download
memory/2532-20-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-10-0x0000000000180000-0x00000000001C0000-memory.dmp

Filesize
256KB

Download
memory/2532-21-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-9-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-8-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-18-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-22-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/2936-19-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-39-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-40-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download