njrat | 4343db61e059b8f73e97e022907d917a6a495439cf9ef7c618a832ded1f9f4d1

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08-10-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe
Size

344KB
MD5

8d25c14a5b1f9cdf8f87b86481dbc471
SHA1

af7d5f5f0f4b891b4e95dd444993138b581a69d4
SHA256

8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e
SHA512

6fb3dbde57e30fa8d04f3a4081312bee32fe576b73dea496c7782a02dc82e3173d49a9dd13489d7acb879744ff3c96acc81efaabbff089354fcbbe00f3167338
SSDEEP

3072:FEaNdCsfYDogE/eaBNDjh8b5hisx0x0a37K0OMwRbHpG9ua7zwo58T:FEAdCs3XLBtjhij0xfm0VKG9oy

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

z-shadowxxx.ddns.net:5552

Mutex

1899f7b6bb5e1cf84a5b2c830a70fbec

Attributes

reg_key
1899f7b6bb5e1cf84a5b2c830a70fbec
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2508	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	LocalFSAgnpsDhx.exe
2576	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2632	LocalFSAgnpsDhx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\1899f7b6bb5e1cf84a5b2c830a70fbec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1899f7b6bb5e1cf84a5b2c830a70fbec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe
2632	LocalFSAgnpsDhx.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	LocalFSAgnpsDhx.exe
Token: SeDebugPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe
Token: 33	2576	svchost.exe
Token: SeIncBasePriorityPrivilege	2576	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2632	3016	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	28
PID 3016 wrote to memory of 2632	3016	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	28
PID 3016 wrote to memory of 2632	3016	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	28
PID 3016 wrote to memory of 2632	3016	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	28
PID 3016 wrote to memory of 2740	3016	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	29
PID 3016 wrote to memory of 2740	3016	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	29
PID 3016 wrote to memory of 2740	3016	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	29
PID 2632 wrote to memory of 2556	2632	LocalFSAgnpsDhx.exe	30
PID 2632 wrote to memory of 2556	2632	LocalFSAgnpsDhx.exe	30
PID 2632 wrote to memory of 2556	2632	LocalFSAgnpsDhx.exe	30
PID 2632 wrote to memory of 2556	2632	LocalFSAgnpsDhx.exe	30
PID 2632 wrote to memory of 2576	2632	LocalFSAgnpsDhx.exe	31
PID 2632 wrote to memory of 2576	2632	LocalFSAgnpsDhx.exe	31
PID 2632 wrote to memory of 2576	2632	LocalFSAgnpsDhx.exe	31
PID 2632 wrote to memory of 2576	2632	LocalFSAgnpsDhx.exe	31
PID 2576 wrote to memory of 2988	2576	svchost.exe	32
PID 2576 wrote to memory of 2988	2576	svchost.exe	32
PID 2576 wrote to memory of 2988	2576	svchost.exe	32
PID 2576 wrote to memory of 2988	2576	svchost.exe	32
PID 2576 wrote to memory of 2508	2576	svchost.exe	33
PID 2576 wrote to memory of 2508	2576	svchost.exe	33
PID 2576 wrote to memory of 2508	2576	svchost.exe	33
PID 2576 wrote to memory of 2508	2576	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe
"C:\Users\Admin\AppData\Local\Temp\8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe
  "C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\NotePad.exe
    NotePad
    3⤵
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\NotePad.exe
      NotePad
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2508
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\LocalbzJHeWkul_..txt
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\LocalbzJHeWkul_..txt

Filesize
288B

MD5
be609d4678b46bf8d98b4f88b36337a7

SHA1
b621bbcefd42ba2de567424cc4476d26805ff56b

SHA256
24f50b03afe8d4b4ef134b2a001cf4bb5c52e24a01c80610fd52ed8960b00115

SHA512
5ffd5cfdea34854c93417d5d3cea740a123c97f55b76d9af83b23e1766fc7bfa3392f9f8312924c20bce58f8100b31252549c649a2b2075bdccf9f6c1fa1f1cc

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
memory/2576-29-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2576-28-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-26-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2576-25-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-24-0x0000000000E90000-0x0000000000EDE000-memory.dmp

Filesize
312KB

Download
memory/2632-10-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-16-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2632-15-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/2632-14-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-13-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/2632-12-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2632-11-0x00000000004B0000-0x0000000000508000-memory.dmp

Filesize
352KB

Download
memory/2632-27-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-9-0x0000000000C60000-0x0000000000CAE000-memory.dmp

Filesize
312KB

Download
memory/3016-8-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download