njrat | 04a952ad0bd597ba87296363427171c8af52a34d83592d4abbb5d5c97aedda27

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308df600b78f72607e05360d2f822d4c.exe
Size

226KB
MD5

308df600b78f72607e05360d2f822d4c
SHA1

7b5fe40d1db2e644408283ee7c706c3cc0bc9fae
SHA256

04a952ad0bd597ba87296363427171c8af52a34d83592d4abbb5d5c97aedda27
SHA512

deed649cc126ee91bf1f3c825f0bf962f11e3c74e6c5c5c5420a5c485636f8a5e3d5417def235aec1a17f486513b55244b6710aa561f81da349a9aa6569c6c8f
SSDEEP

1536:Q/OFCvKT+2B6FVzb9B+HWullVghstVdhfd9A+gZPBYPKc5dP8HDp:Q/OF/+Xzbr+2ufVntdd9AlZ5h

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

yasser900.zapto.org:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2772	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2020	Trojan.exe
2936	Trojan.exe
1900	Trojan.exe

Loads dropped DLL 4 IoCs

pid	Process
2300	308df600b78f72607e05360d2f822d4c.exe
2300	308df600b78f72607e05360d2f822d4c.exe
2020	Trojan.exe
2020	Trojan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1180 set thread context of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 2020 set thread context of 1900	2020	Trojan.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2020	Trojan.exe
2020	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe
1900	Trojan.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	308df600b78f72607e05360d2f822d4c.exe
Token: SeDebugPrivilege	2020	Trojan.exe
Token: SeDebugPrivilege	1900	Trojan.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 1180 wrote to memory of 2300	1180	308df600b78f72607e05360d2f822d4c.exe	30
PID 2300 wrote to memory of 2020	2300	308df600b78f72607e05360d2f822d4c.exe	31
PID 2300 wrote to memory of 2020	2300	308df600b78f72607e05360d2f822d4c.exe	31
PID 2300 wrote to memory of 2020	2300	308df600b78f72607e05360d2f822d4c.exe	31
PID 2300 wrote to memory of 2020	2300	308df600b78f72607e05360d2f822d4c.exe	31
PID 2020 wrote to memory of 2936	2020	Trojan.exe	35
PID 2020 wrote to memory of 2936	2020	Trojan.exe	35
PID 2020 wrote to memory of 2936	2020	Trojan.exe	35
PID 2020 wrote to memory of 2936	2020	Trojan.exe	35
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 2020 wrote to memory of 1900	2020	Trojan.exe	32
PID 1900 wrote to memory of 2772	1900	Trojan.exe	33
PID 1900 wrote to memory of 2772	1900	Trojan.exe	33
PID 1900 wrote to memory of 2772	1900	Trojan.exe	33
PID 1900 wrote to memory of 2772	1900	Trojan.exe	33

C:\Users\Admin\AppData\Local\Temp\308df600b78f72607e05360d2f822d4c.exe
"C:\Users\Admin\AppData\Local\Temp\308df600b78f72607e05360d2f822d4c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\308df600b78f72607e05360d2f822d4c.exe
  "C:\Users\Admin\AppData\Local\Temp\308df600b78f72607e05360d2f822d4c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      4⤵
      Executes dropped EXE
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2a68bfa56b5750b0833adc8dd3ba969

SHA1
61aa239b51830f51543d55bb2589c2a8cd7b99bd

SHA256
de92bb6f1dbff7cbc7286ef8bd8fb7735190ef373bf6bbddfdc4aa1b620d2f8f

SHA512
6fdf5f33a7876ad93576e60903d7ff33f12f7001fa6cd1c6ac1f7b2b0fce9d1de67f9478db89944b9e2cdcc693d4f185a06898f955e72e2a83643d28145efa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDEFC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE457.tmp

Filesize
81KB

MD5
4dbacca0ff99bbe12b6c68fb0b7bd07e

SHA1
0b19ef2beb9fe25fdd76d4c9bdab5180deaa3c64

SHA256
ad2cf384d7112398e50468f8b1dd30486a7dea425faca2f9f50794a11f1d8a9c

SHA512
f65da2a3d2e4798596721cc8b5e3e87b3042ad010e7fb86a78d033184a1f54159723908acd3b0b5e3a3cd82ced2c3b12fe1bcb38f819386ed44341615d0d7d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
135KB

MD5
6ea4312ecceaca32dc22a02e762117e7

SHA1
6c9ff332fcc07fb446372de2d0eea63768e8af91

SHA256
52b82ed6002606fde2941abd18470226c75ffea160769a8d77ab5e86a7346a19

SHA512
8f236405c6ff8a64cbb14e5df1dce737a24b52917392886330ffffa2f20e440106d96799d633830ad1a32920c61b12e9cba6567e72a6728225ff2228b624b2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
189KB

MD5
4064595c5a7c57ca7d314c3800f46f95

SHA1
c7f07dc7d58d3b6cfb3e9f301065d26020edd22d

SHA256
4364858d73ec83d9651556f64248fc5fa4b640555356a5f27e52067229bf0f24

SHA512
549f625008274a40901044a13579e0ffc5d26be239fc9000c8a9ceb534fe4bfacb1d1c86ab3ddfd842f359e83cd0b4130bc8d451eb577ab58677ca79a4ceef86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
69KB

MD5
3348f0a254a3f8be4961e7fe47d7d1f4

SHA1
8058fc9f9128054cfb6ed4b5f5395efe5441bf70

SHA256
08ee97e380bea2f957976b0d478e224c8138c4c80e9f9763a3df3159fb1d23fb

SHA512
ed1dd6ba12fbaedd657889534f7c025563a3c2f55a3fe7f32ea49a48227c94d2f4d8899c52adbe9f8e2935fb81647f283b5ddc6a2eda7d004254af723854b63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
77KB

MD5
6596e7bce13b2f8e717be3020b73fdd7

SHA1
f1578822084e1b3984a8d2c166c2b191f6581529

SHA256
654827de2f78f453b55623262c18109b701c1181cc804b8a929997deb9ee94fb

SHA512
0ef9eaccfefb37e09a718b8b88f151158b1ac5955c2d2eac857ac147106f070b72669170dbb0b1a42c6df61b8d60c33110ff38db47625062330ff1cb236a347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
110KB

MD5
01426169637e8983e3319649ee4e382d

SHA1
908af4d53907d9414cd06a7546467b9ad8529876

SHA256
fb69d405d85d6975936260ed3126c9bdc7aafd3f86bbfed7dc6168cd4a830b10

SHA512
c6634c810106018225b29d35580890c92629e6828147faeb04ff4f811b613ee0f97c894393f8d48e48e5a462ff64f8ee11366e4535f47e111af6414c24a7f660

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
170KB

MD5
a9e9031b9f2276d10b823b4b72e0d531

SHA1
8d24dcdf2c41fbe9ab849bc81ee8832c3e5da157

SHA256
3e0fcd4c57a864181fed0d863953a095b6c8b594fd25aedd06cc6dcfc9b18e1e

SHA512
733a4974634c6478028b5e1c611216210eee2fa2cfb407e2c1184975ea5aa164bd97c27a32eae2bdd1a73cab0ca7be7be6eea2c852912692e07a6f7e00f14d52

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
226KB

MD5
308df600b78f72607e05360d2f822d4c

SHA1
7b5fe40d1db2e644408283ee7c706c3cc0bc9fae

SHA256
04a952ad0bd597ba87296363427171c8af52a34d83592d4abbb5d5c97aedda27

SHA512
deed649cc126ee91bf1f3c825f0bf962f11e3c74e6c5c5c5420a5c485636f8a5e3d5417def235aec1a17f486513b55244b6710aa561f81da349a9aa6569c6c8f

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
129KB

MD5
8b2753178beb655071ef6131d2cc1eff

SHA1
f01e1b04a44a48fd83674cc9cf01c4587af9f5b4

SHA256
e7e791dc8e3e0de36f0da94911a767e74f3f8a40ffb0bdbaa8f8a821771174dd

SHA512
dafa4d7ee2ab622b939498e7f50d0b9462392eea9c54d0deaac4daef216b0d7997a45673c4537371a24f1d21cd41e8743eb671635d3f3acce7751f07747ab207

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
42KB

MD5
ad7d9d80d2f0e90995e43d145101be4f

SHA1
a1a04d6dc87894c13ed8e73b46d7252ca92f8b8a

SHA256
9b2cc692d6dffcb70068c2233156bf70d1419f9c65fd6cdb3bfc3ffbff8b8ff0

SHA512
d4451c0d87ea825c56ef318a3bdbb0d81f814e921b72f097e8b32b6d2e049409b3f94ef3ae4ffb7e9fc170140d96a5d25cf08d9962e57010d35ffe83bff099d0

Download Submit
memory/1180-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1180-31-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1180-2-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/1180-0-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-93-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/1900-90-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/1900-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1900-91-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-92-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-89-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-94-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2020-88-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-50-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2020-49-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-59-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-37-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-48-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2300-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2300-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2300-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2300-36-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2300-35-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2300-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2300-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2300-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download