njrat | c4e071cd3249b9ec23ef43a02be817d48941fdc86a1870a648e1d23288eedec0

General

Target

e295a10d1ae2f01ff66922cd13d950fb.exe
Size

395KB
MD5

e295a10d1ae2f01ff66922cd13d950fb
SHA1

493ee29384a12b2f5dc13e9f6908b1f668c7b919
SHA256

c4e071cd3249b9ec23ef43a02be817d48941fdc86a1870a648e1d23288eedec0
SHA512

6c2365d04102b943b6a555c5882b70c3952a4840d7e81db2dcad74ee932a7c963db6c23948f072fce3cf950fda6f11691654f19977bd731c3abd9d363f69874c
SSDEEP

12288:+RZ+IoG/n9IQxW3OBsze2X+t4RbeZcdm6LA8:I2G/nvxW3Wh0teZcdm4A8

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4884 netsh.exe

pid	process
4884	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e295a10d1ae2f01ff66922cd13d950fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	e295a10d1ae2f01ff66922cd13d950fb.exe

Drops startup file 2 IoCs

Processes:

server.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe	server.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe	server.EXE

Executes dropped EXE 3 IoCs

Processes:

server.EXECSGhost-V4.EXEtemp_wrapped_31366.exe

pid process

3196 server.EXE
5016 CSGhost-V4.EXE
4788 temp_wrapped_31366.exe

pid	process
3196	server.EXE
5016	CSGhost-V4.EXE
4788	temp_wrapped_31366.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .."	server.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .."	server.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

temp_wrapped_31366.exe

pid	process
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe
4788	temp_wrapped_31366.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.EXE

description	pid	process
Token: SeDebugPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE
Token: 33	3196	server.EXE
Token: SeIncBasePriorityPrivilege	3196	server.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CSGhost-V4.EXEtemp_wrapped_31366.exe

pid process

5016 CSGhost-V4.EXE
4788 temp_wrapped_31366.exe

pid	process
5016	CSGhost-V4.EXE
4788	temp_wrapped_31366.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e295a10d1ae2f01ff66922cd13d950fb.exeCSGhost-V4.EXEserver.EXE

description	pid	process	target process
PID 3308 wrote to memory of 3196	3308	e295a10d1ae2f01ff66922cd13d950fb.exe	server.EXE
PID 3308 wrote to memory of 3196	3308	e295a10d1ae2f01ff66922cd13d950fb.exe	server.EXE
PID 3308 wrote to memory of 3196	3308	e295a10d1ae2f01ff66922cd13d950fb.exe	server.EXE
PID 3308 wrote to memory of 5016	3308	e295a10d1ae2f01ff66922cd13d950fb.exe	CSGhost-V4.EXE
PID 3308 wrote to memory of 5016	3308	e295a10d1ae2f01ff66922cd13d950fb.exe	CSGhost-V4.EXE
PID 5016 wrote to memory of 4788	5016	CSGhost-V4.EXE	temp_wrapped_31366.exe
PID 5016 wrote to memory of 4788	5016	CSGhost-V4.EXE	temp_wrapped_31366.exe
PID 5016 wrote to memory of 4788	5016	CSGhost-V4.EXE	temp_wrapped_31366.exe
PID 3196 wrote to memory of 4884	3196	server.EXE	netsh.exe
PID 3196 wrote to memory of 4884	3196	server.EXE	netsh.exe
PID 3196 wrote to memory of 4884	3196	server.EXE	netsh.exe

C:\Users\Admin\AppData\Local\Temp\e295a10d1ae2f01ff66922cd13d950fb.exe
"C:\Users\Admin\AppData\Local\Temp\e295a10d1ae2f01ff66922cd13d950fb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3308

C:\Users\Admin\AppData\Roaming\server.EXE
"C:\Users\Admin\AppData\Roaming\server.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.EXE" "server.EXE" ENABLE
3⤵
- Modifies Windows Firewall
PID:4884

C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE
"C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe
"C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe
Filesize
60KB

MD5
6626698df959dedebe4bba05a5212cb6

SHA1
44b29eea5e11a7805fe74df6d7acc708d4e2c04f

SHA256
ca7847a603db8ee2912c946b15ba8f7c6e4a6de13f8192792e58287859dee57a

SHA512
312b55a55348dbe85222d80df3142806411537e2fdee5338c0062825f030be73b5142d452c861059988c40c8172d1a3baa3f0d1f97dac6c7dff17c31d01822e8

Download Submit
C:\Users\Admin\AppData\Roaming\CSGhost-v4.exe
Filesize
68KB

MD5
f46ebc4410101fc838ca6dbab76c90e1

SHA1
f687b1880256cf8261c16a18cea4b5d2b76c92d3

SHA256
724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0

SHA512
244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
23KB

MD5
a873745adb5279248a7ea3cccff26c3c

SHA1
551fb96900684f790fca3b2b837d1c88ef0508dc

SHA256
8320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594

SHA512
09d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f

Download Submit
memory/3196-22-0x0000000073100000-0x00000000736B1000-memory.dmp

Filesize
5.7MB

Download
memory/3196-24-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/3196-23-0x0000000073100000-0x00000000736B1000-memory.dmp

Filesize
5.7MB

Download
memory/3196-26-0x0000000073100000-0x00000000736B1000-memory.dmp

Filesize
5.7MB

Download
memory/3196-27-0x0000000073100000-0x00000000736B1000-memory.dmp

Filesize
5.7MB

Download
memory/3196-28-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads