njrat | 85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

General

Target

85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe
Size

37KB
MD5

e19f65989c0f892cebe323f2067ce4af
SHA1

07ee79b18fe3aa6c6823052ddffa770f18788a74
SHA256

85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454
SHA512

5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8
SSDEEP

384:acHsiDrT95hL5YyUvRD/zOo46Al1lrAF+rMRTyN/0L+EcoinblneHQM3epzX5Nr2:Fnv5zUvRDLlAblrM+rMRa8Nuzot

Score

10^/10

njrat windows evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Windows

C2

2.tcp.eu.ngrok.io:19440

Mutex

a9916e265f04c5cbbcb09972457528f5

Attributes

reg_key
a9916e265f04c5cbbcb09972457528f5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2604 netsh.exe

pid	process
2604	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe

Drops startup file 2 IoCs

Processes:

Windows.server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9916e265f04c5cbbcb09972457528f5.exe	Windows.server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9916e265f04c5cbbcb09972457528f5.exe	Windows.server.exe

Executes dropped EXE 1 IoCs

Processes:

Windows.server.exe

pid process

5108 Windows.server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows.server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a9916e265f04c5cbbcb09972457528f5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.server.exe\" .."	Windows.server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a9916e265f04c5cbbcb09972457528f5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.server.exe\" .."	Windows.server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Windows.server.exe

description	ioc	process
File created	C:\autorun.inf	Windows.server.exe
File opened for modification	C:\autorun.inf	Windows.server.exe
File created	D:\autorun.inf	Windows.server.exe
File created	F:\autorun.inf	Windows.server.exe
File opened for modification	F:\autorun.inf	Windows.server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4984 taskkill.exe

pid	process
4984	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows.server.exe

pid	process
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows.server.exe

pid process

5108 Windows.server.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Windows.server.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	5108	Windows.server.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exeWindows.server.exe

description	pid	process	target process
PID 3920 wrote to memory of 5108	3920	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe	Windows.server.exe
PID 3920 wrote to memory of 5108	3920	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe	Windows.server.exe
PID 3920 wrote to memory of 5108	3920	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe	Windows.server.exe
PID 5108 wrote to memory of 2604	5108	Windows.server.exe	netsh.exe
PID 5108 wrote to memory of 2604	5108	Windows.server.exe	netsh.exe
PID 5108 wrote to memory of 2604	5108	Windows.server.exe	netsh.exe
PID 5108 wrote to memory of 4984	5108	Windows.server.exe	taskkill.exe
PID 5108 wrote to memory of 4984	5108	Windows.server.exe	taskkill.exe
PID 5108 wrote to memory of 4984	5108	Windows.server.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe
"C:\Users\Admin\AppData\Local\Temp\85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\Windows.server.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.server.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.server.exe" "Windows.server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2604

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Exsample.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows.server.exe
Filesize
37KB

MD5
e19f65989c0f892cebe323f2067ce4af

SHA1
07ee79b18fe3aa6c6823052ddffa770f18788a74

SHA256
85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

SHA512
5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.server.exe
Filesize
37KB

MD5
e19f65989c0f892cebe323f2067ce4af

SHA1
07ee79b18fe3aa6c6823052ddffa770f18788a74

SHA256
85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

SHA512
5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.server.exe
Filesize
37KB

MD5
e19f65989c0f892cebe323f2067ce4af

SHA1
07ee79b18fe3aa6c6823052ddffa770f18788a74

SHA256
85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

SHA512
5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8

Download Submit
memory/3920-0-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3920-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3920-2-0x0000000001A10000-0x0000000001A20000-memory.dmp

Filesize
64KB

Download
memory/3920-12-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-13-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-14-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-24-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-25-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads