njrat | 4343db61e059b8f73e97e022907d917a6a495439cf9ef7c618a832ded1f9f4d1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe
Size

344KB
MD5

8d25c14a5b1f9cdf8f87b86481dbc471
SHA1

af7d5f5f0f4b891b4e95dd444993138b581a69d4
SHA256

8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e
SHA512

6fb3dbde57e30fa8d04f3a4081312bee32fe576b73dea496c7782a02dc82e3173d49a9dd13489d7acb879744ff3c96acc81efaabbff089354fcbbe00f3167338
SSDEEP

3072:FEaNdCsfYDogE/eaBNDjh8b5hisx0x0a37K0OMwRbHpG9ua7zwo58T:FEAdCs3XLBtjhij0xfm0VKG9oy

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

z-shadowxxx.ddns.net:5552

Mutex

1899f7b6bb5e1cf84a5b2c830a70fbec

Attributes

reg_key
1899f7b6bb5e1cf84a5b2c830a70fbec
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4808	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	LocalFSAgnpsDhx.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	LocalFSAgnpsDhx.exe
1012	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1899f7b6bb5e1cf84a5b2c830a70fbec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1899f7b6bb5e1cf84a5b2c830a70fbec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe
2672	LocalFSAgnpsDhx.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	LocalFSAgnpsDhx.exe
Token: SeDebugPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: SeManageVolumePrivilege	4748	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe
Token: 33	1012	svchost.exe
Token: SeIncBasePriorityPrivilege	1012	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2672	1672	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	86
PID 1672 wrote to memory of 2672	1672	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	86
PID 1672 wrote to memory of 2672	1672	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	86
PID 1672 wrote to memory of 4184	1672	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	87
PID 1672 wrote to memory of 4184	1672	8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe	87
PID 2672 wrote to memory of 4896	2672	LocalFSAgnpsDhx.exe	96
PID 2672 wrote to memory of 4896	2672	LocalFSAgnpsDhx.exe	96
PID 2672 wrote to memory of 4896	2672	LocalFSAgnpsDhx.exe	96
PID 2672 wrote to memory of 1012	2672	LocalFSAgnpsDhx.exe	99
PID 2672 wrote to memory of 1012	2672	LocalFSAgnpsDhx.exe	99
PID 2672 wrote to memory of 1012	2672	LocalFSAgnpsDhx.exe	99
PID 1012 wrote to memory of 1020	1012	svchost.exe	101
PID 1012 wrote to memory of 1020	1012	svchost.exe	101
PID 1012 wrote to memory of 1020	1012	svchost.exe	101
PID 1012 wrote to memory of 4808	1012	svchost.exe	104
PID 1012 wrote to memory of 4808	1012	svchost.exe	104
PID 1012 wrote to memory of 4808	1012	svchost.exe	104

C:\Users\Admin\AppData\Local\Temp\8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe
"C:\Users\Admin\AppData\Local\Temp\8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe
  "C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\NotePad.exe
    NotePad
    3⤵
    PID:4896
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\NotePad.exe
      NotePad
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4808
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\LocalbzJHeWkul_..txt
  2⤵
  PID:4184

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
290KB

MD5
224884a09b08f5db2a9533ea3062190d

SHA1
f85c5e03775cac1bad3a071cfd85b51537767c97

SHA256
ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

SHA512
8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

Download Submit
C:\Users\Admin\AppData\LocalbzJHeWkul_..txt

Filesize
288B

MD5
be609d4678b46bf8d98b4f88b36337a7

SHA1
b621bbcefd42ba2de567424cc4476d26805ff56b

SHA256
24f50b03afe8d4b4ef134b2a001cf4bb5c52e24a01c80610fd52ed8960b00115

SHA512
5ffd5cfdea34854c93417d5d3cea740a123c97f55b76d9af83b23e1766fc7bfa3392f9f8312924c20bce58f8100b31252549c649a2b2075bdccf9f6c1fa1f1cc

Download Submit
memory/1012-45-0x0000000005FE0000-0x0000000005FEA000-memory.dmp

Filesize
40KB

Download
memory/1012-44-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/1012-43-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1012-41-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1672-18-0x00007FFA75090000-0x00007FFA75A31000-memory.dmp

Filesize
9.6MB

Download
memory/1672-0-0x00007FFA75090000-0x00007FFA75A31000-memory.dmp

Filesize
9.6MB

Download
memory/1672-1-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/1672-2-0x00007FFA75090000-0x00007FFA75A31000-memory.dmp

Filesize
9.6MB

Download
memory/2672-19-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2672-24-0x0000000007650000-0x00000000076EC000-memory.dmp

Filesize
624KB

Download
memory/2672-27-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2672-28-0x0000000007C80000-0x0000000007C8A000-memory.dmp

Filesize
40KB

Download
memory/2672-21-0x0000000004F30000-0x0000000004F88000-memory.dmp

Filesize
352KB

Download
memory/2672-20-0x00000000004C0000-0x000000000050E000-memory.dmp

Filesize
312KB

Download
memory/2672-42-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2672-22-0x00000000048B0000-0x00000000048B6000-memory.dmp

Filesize
24KB

Download
memory/2672-25-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2672-26-0x0000000007CA0000-0x0000000008244000-memory.dmp

Filesize
5.6MB

Download
memory/2672-23-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4748-46-0x000001A2AD140000-0x000001A2AD150000-memory.dmp

Filesize
64KB

Download
memory/4748-62-0x000001A2AD240000-0x000001A2AD250000-memory.dmp

Filesize
64KB

Download
memory/4748-78-0x000001A2B5560000-0x000001A2B5561000-memory.dmp

Filesize
4KB

Download
memory/4748-80-0x000001A2B5590000-0x000001A2B5591000-memory.dmp

Filesize
4KB

Download
memory/4748-81-0x000001A2B5590000-0x000001A2B5591000-memory.dmp

Filesize
4KB

Download
memory/4748-82-0x000001A2B56A0000-0x000001A2B56A1000-memory.dmp

Filesize
4KB

Download