Overview

overview

10

Static

static

10

NjRat Lime....0.exe

windows7-x64

NjRat Lime....0.exe

windows10-1703-x64

NjRat Lime....0.exe

windows10-2004-x64

10

Resubmissions

15/10/2023, 10:10

231015-l7htgadg7t 10

15/10/2023, 10:08

231015-l6mq2adg61 10

Analysis

  • max time kernel
    194s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2023, 10:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NjRat Lime Edition 0.8.0/NjRat Lime Edition 0.8.0.exe

  • Size

    357KB

  • MD5

    124f402976fed53760b9a49eb5bcd8de

  • SHA1

    d6f752e2bd87675c77c46784e23c531d3aecc54a

  • SHA256

    058a5e19eb5edda3029d3bdca057b8bb9476520280eb19b912eb67eff7a5e5be

  • SHA512

    3a1615e487e793a98827207664dbb2296fe10837d2da12eca3329f0bcc38d7f284204614b45ba7ae0f1536be8b26e2e68565869d382b462e685c818740640a22

  • SSDEEP

    6144:SgZiAEAO0sByNsAal3gVAWgS7/Ohwjj1kS8RRQzY:SgZXEAO/BUdG3gVdt7Ke1kS8LD

Score
10/10
njratnjratevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

njRAT

C2

0.tcp.eu.ngrok.io:12449

Mutex

79260d4c9893ac5a8295ab997683856f

Attributes
  • reg_key

    79260d4c9893ac5a8295ab997683856f

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7.3

Botnet

njRAT

C2

0.tcp.eu.ngrok.io:12449

Mutex

dllhost.exe

Attributes
  • reg_key

    dllhost.exe

  • splitter

    1234

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0\NjRat Lime Edition 0.8.0.exe
    "C:\Users\Admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0\NjRat Lime Edition 0.8.0.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\SysWOW64\dllhоst.exe
      "C:\Windows\system32\dllhоst.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\SysWOW64\dllhоst.exe" "dllhоst.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1892
    • C:\Windows\SysWOW64\svchоst.exe
      "C:\Windows\system32\svchоst.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4460

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\dllhоst.exe
          Filesize

          24KB

          MD5

          6a3a90fd52ca8e3092ec58f22839e2ac

          SHA1

          2a10a3cd99a6f50926fc85ffc6829bf1c85fb01e

          SHA256

          392762c510203bcaf1d1d431f7d6bacd8acfa04df2b99893bd00e15b1ac21fe4

          SHA512

          4d502f8437314c8f137389552a88a6e38476418fed9694aaea9c7858db2e25e1a7f2f66f791a04fb7ef9a4b9f8a98079f928f61f80e9f403ad2a32768f0f6783

          Download Submit

        • C:\Windows\SysWOW64\dllhоst.exe
          Filesize

          24KB

          MD5

          6a3a90fd52ca8e3092ec58f22839e2ac

          SHA1

          2a10a3cd99a6f50926fc85ffc6829bf1c85fb01e

          SHA256

          392762c510203bcaf1d1d431f7d6bacd8acfa04df2b99893bd00e15b1ac21fe4

          SHA512

          4d502f8437314c8f137389552a88a6e38476418fed9694aaea9c7858db2e25e1a7f2f66f791a04fb7ef9a4b9f8a98079f928f61f80e9f403ad2a32768f0f6783

          Download Submit

        • C:\Windows\SysWOW64\dllhоst.exe
          Filesize

          24KB

          MD5

          6a3a90fd52ca8e3092ec58f22839e2ac

          SHA1

          2a10a3cd99a6f50926fc85ffc6829bf1c85fb01e

          SHA256

          392762c510203bcaf1d1d431f7d6bacd8acfa04df2b99893bd00e15b1ac21fe4

          SHA512

          4d502f8437314c8f137389552a88a6e38476418fed9694aaea9c7858db2e25e1a7f2f66f791a04fb7ef9a4b9f8a98079f928f61f80e9f403ad2a32768f0f6783

          Download Submit

        • C:\Windows\SysWOW64\svchоst.exe
          Filesize

          75KB

          MD5

          bf7c75be0a37e569259438ffa5170160

          SHA1

          9672a4b6cb9d8cbef189e1306d72877645661687

          SHA256

          10ed0a4d4e59e62c7f91c5d3a88044154fe67ea1d75f2f3bef3d876ce289036e

          SHA512

          9f32c4557d2b39726e7546c243066bf6b68cb8eb22f8998f47ffe57de169bf28d387791b6b8267fd1af775d52fa2e43a0e00e8b288c00dbffe917662fc38a57b

          Download Submit

        • C:\Windows\SysWOW64\svchоst.exe
          Filesize

          75KB

          MD5

          bf7c75be0a37e569259438ffa5170160

          SHA1

          9672a4b6cb9d8cbef189e1306d72877645661687

          SHA256

          10ed0a4d4e59e62c7f91c5d3a88044154fe67ea1d75f2f3bef3d876ce289036e

          SHA512

          9f32c4557d2b39726e7546c243066bf6b68cb8eb22f8998f47ffe57de169bf28d387791b6b8267fd1af775d52fa2e43a0e00e8b288c00dbffe917662fc38a57b

          Download Submit

        • C:\Windows\SysWOW64\svchоst.exe
          Filesize

          75KB

          MD5

          bf7c75be0a37e569259438ffa5170160

          SHA1

          9672a4b6cb9d8cbef189e1306d72877645661687

          SHA256

          10ed0a4d4e59e62c7f91c5d3a88044154fe67ea1d75f2f3bef3d876ce289036e

          SHA512

          9f32c4557d2b39726e7546c243066bf6b68cb8eb22f8998f47ffe57de169bf28d387791b6b8267fd1af775d52fa2e43a0e00e8b288c00dbffe917662fc38a57b

          Download Submit

        • memory/3664-24-0x0000000074890000-0x0000000074E41000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3664-27-0x0000000074890000-0x0000000074E41000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3664-28-0x0000000074890000-0x0000000074E41000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3664-31-0x0000000074890000-0x0000000074E41000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3664-32-0x0000000001A70000-0x0000000001A80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4460-26-0x00000000010D0000-0x00000000010E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4460-25-0x0000000074890000-0x0000000074E41000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4460-29-0x0000000074890000-0x0000000074E41000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4460-30-0x00000000010D0000-0x00000000010E0000-memory.dmp

          Filesize

          64KB

          Download