njrat | 357f9d78f25616a32835ee27ef5106ffe17a25142443449bb91f74d3013032db

Analysis

max time kernel
7s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Private DR 8.exe
Size

32KB
MD5

3545a1d643a4bbe8254e6288ef8b8970
SHA1

54c78dd9b1af967af5bae3436666b4cc6ec9981a
SHA256

ce9f3a26c1dc03bdb6b44d8f21155c01481cfef00d52aed3e8cb2d127d9a0bf7
SHA512

56cfac7a646b9a9c898131d714497af04c29f72aa05dcb4c680e384e62058af5bb136017e6a79a5e5b8d069d488f2651fa0ccddbf332ffd99b0975d63624e884
SSDEEP

384:FwZ2iQY1yEccOrM5si+dCLp6dqs9dFPI4+hAVoTi+NlDQodg9TduS/EIGsJjwE7I:CI05cTvTdCmvsuouDuCEIGfRu+f

Score

10^/10

njrat hacked by hidden person trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked By HiDDen PerSOn

127.0.0.1:5552

Mutex

ccedfcf6c833355573619d64c1fe7aea

Attributes

reg_key
ccedfcf6c833355573619d64c1fe7aea
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Private DR 8.exe

description	pid	process	target process
PID 2480 wrote to memory of 2436	2480	Private DR 8.exe	rundll32.exe
PID 2480 wrote to memory of 2436	2480	Private DR 8.exe	rundll32.exe
PID 2480 wrote to memory of 2436	2480	Private DR 8.exe	rundll32.exe
PID 2480 wrote to memory of 2436	2480	Private DR 8.exe	rundll32.exe
PID 2480 wrote to memory of 2436	2480	Private DR 8.exe	rundll32.exe
PID 2480 wrote to memory of 2436	2480	Private DR 8.exe	rundll32.exe
PID 2480 wrote to memory of 2436	2480	Private DR 8.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Private DR 8.exe
"C:\Users\Admin\AppData\Local\Temp\Private DR 8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8
2⤵
PID:2436

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8"
3⤵
PID:2728

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8
Filesize
32KB

MD5
3545a1d643a4bbe8254e6288ef8b8970

SHA1
54c78dd9b1af967af5bae3436666b4cc6ec9981a

SHA256
ce9f3a26c1dc03bdb6b44d8f21155c01481cfef00d52aed3e8cb2d127d9a0bf7

SHA512
56cfac7a646b9a9c898131d714497af04c29f72aa05dcb4c680e384e62058af5bb136017e6a79a5e5b8d069d488f2651fa0ccddbf332ffd99b0975d63624e884

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
665302c934136b55da868419a3afdcb4

SHA1
c7363cf0f76aa99ded02edcb04610fc8756a71db

SHA256
3569c38de00a82b1c591a67e69c238b12e4abba877bdd7adab3c0c6696ccbd8c

SHA512
ef23c32546128bd7b2bb458226e6fd9c77c4265e3d38f10799a966e6973a96e1ce41243e77e49ce8c4a9351cfa0a2d8bf5d9e68f6c2945044b23d6c7bdd64a12

Download Submit
memory/2480-0-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-2-0x0000000000B40000-0x0000000000B80000-memory.dmp

Filesize
256KB

Download
memory/2480-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-5-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download