njrat | 871978fb97af5fca44a98714b79a3e86dfdb468eed6980dadc7f2bf7e5bf1aaa

Resubmissions

06/11/2023, 19:37

231106-ybwfxadf81 10

06/11/2023, 19:33

231106-x9tjjadf4z 10

06/11/2023, 16:18

231106-tr58tscc9y 10

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1106-11-Njrat.exe
Size

2.7MB
MD5

f6e3aee1f90ebd9fd2035d95cfb1572a
SHA1

9e3f5dd7421c68ed101a21678056a0d03a145d1a
SHA256

0b4d4ccbb9bef35964350e889dd87d2f5b0cd4e0fdc281af1f11adfbce994209
SHA512

437a0a1a485cc07567e149a5de503b2d2312925695824c002d25ad51a7015cfd78c03c962bbcd808793387d7cb3b4008602c70909a067ca29ac18827c5360035
SSDEEP

49152:rBZ6v3/0HTj169yWEY969K22VwFHITeeAwxkA:rWv3/0HTj169yWEY969r2VeH

Score

10^/10

njrat zgrat hi can you give money persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

Hi can you give money

172.94.4.171:7772

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral22/memory/3448-5-0x0000000006920000-0x000000000695A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	1106-11-Njrat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	RegAsm.exe

Executes dropped EXE 1 IoCs

pid	Process
2092	Adobe Reader PDF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Reader PDF.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 4756	3448	1106-11-Njrat.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4756	3448	1106-11-Njrat.exe	91
PID 3448 wrote to memory of 4756	3448	1106-11-Njrat.exe	91
PID 3448 wrote to memory of 4756	3448	1106-11-Njrat.exe	91
PID 3448 wrote to memory of 4756	3448	1106-11-Njrat.exe	91
PID 3448 wrote to memory of 4756	3448	1106-11-Njrat.exe	91
PID 3448 wrote to memory of 4756	3448	1106-11-Njrat.exe	91
PID 3448 wrote to memory of 4756	3448	1106-11-Njrat.exe	91
PID 4756 wrote to memory of 2092	4756	RegAsm.exe	100
PID 4756 wrote to memory of 2092	4756	RegAsm.exe	100
PID 4756 wrote to memory of 2092	4756	RegAsm.exe	100
PID 4756 wrote to memory of 5004	4756	RegAsm.exe	102
PID 4756 wrote to memory of 5004	4756	RegAsm.exe	102
PID 4756 wrote to memory of 5004	4756	RegAsm.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5004	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1106-11-Njrat.exe
"C:\Users\Admin\AppData\Local\Temp\1106-11-Njrat.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe
    "C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe"
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe"
    3⤵
    - Views/modifies file attributes
    PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/2092-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2092-29-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2092-27-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3448-1-0x0000000000E80000-0x0000000001132000-memory.dmp

Filesize
2.7MB

Download
memory/3448-2-0x0000000005B00000-0x0000000005B9C000-memory.dmp

Filesize
624KB

Download
memory/3448-3-0x0000000006150000-0x00000000066F4000-memory.dmp

Filesize
5.6MB

Download
memory/3448-5-0x0000000006920000-0x000000000695A000-memory.dmp

Filesize
232KB

Download
memory/3448-8-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3448-0-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4756-12-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4756-25-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4756-9-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4756-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads