njrat | bee0493124ea93b12b32dfa376355d2cae6d81ce736732ffbe091e33e1668f2f

General

Target

378a4914e5bae07027c76524b9d9f7fe.exe
Size

402KB
MD5

378a4914e5bae07027c76524b9d9f7fe
SHA1

b6bc0e5ae3c8de4ecc6e44d8c72fe683f28bec43
SHA256

bee0493124ea93b12b32dfa376355d2cae6d81ce736732ffbe091e33e1668f2f
SHA512

9e29333f3eeafa3c1f1e98d050e6aa125e347d11024e395ba17799772b454338451025f9c6fc219d030b5519cf020f2816af5ddd3b02fa87c6b5f9ba13cd60e5
SSDEEP

6144:amaKVBGmE84IMNv55giU0pKiFYHxfx15RvOagakZBxkTN2gmeGcFnVQb/DAYbDgl:jSmLAuEY71fviagATFmebVQDcYc5

Score

10^/10

njrat pdf evasion trojan upx

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

pdf

C2

hhhmach.ddns.net:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3800	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1188	test.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4216-0-0x0000000000400000-0x00000000004FB000-memory.dmp	upx
behavioral2/memory/4216-22-0x0000000000400000-0x00000000004FB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
840	4216	WerFault.exe	19
3580	4216	WerFault.exe	19

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3704	4216	378a4914e5bae07027c76524b9d9f7fe.exe	30
PID 4216 wrote to memory of 3704	4216	378a4914e5bae07027c76524b9d9f7fe.exe	30
PID 4216 wrote to memory of 3704	4216	378a4914e5bae07027c76524b9d9f7fe.exe	30
PID 3704 wrote to memory of 1188	3704	cmd.exe	31
PID 3704 wrote to memory of 1188	3704	cmd.exe	31
PID 3704 wrote to memory of 1188	3704	cmd.exe	31

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4216 -ip 4216
1⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\378a4914e5bae07027c76524b9d9f7fe.exe
"C:\Users\Admin\AppData\Local\Temp\378a4914e5bae07027c76524b9d9f7fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 244
  2⤵
  - Program crash
  PID:840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      4⤵
      PID:2304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 164
  2⤵
  - Program crash
  PID:3580

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4216 -ip 4216
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
33KB

MD5
b589cda8941698c0328a7eba15af656e

SHA1
8dc480e34cdda64db1ee6d312324c3cd212d5c83

SHA256
575e30db708b1c52ca9c038f27b24b07d2210dc8b79efe479ad579671ae08941

SHA512
d1569243ea0aade7ce74061aafb9c29f5bd23e9f9d8ba05e42f7eb7af8afe39fed0db670cbd26f2a6b98156d7c3d2efcc92c89edb0ae93b86332ab43c202a274

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
33KB

MD5
1c293961f8ac1f7ab77a1123773f9d30

SHA1
7ef6da0ea04e8cf7ed85c6d86f48b96fec0d7821

SHA256
89d1c0383c6f5cf066bf51115fc318f355c0e802212269485d1b5d5073d6db5c

SHA512
7cf4231719599a1e9899ad103a45ee11519459d414775036e4ba646cd9126200d489d7f738fefedfa3dfc5ada45b193dca3a5f91b564c1ac8a6bca3c963d8acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
68KB

MD5
195c352fd94623f47bf596b6beb0605f

SHA1
69c0cc275a3bf7e69b5c0624c919db6a7eae726c

SHA256
27483de2dc70f44c855ecd2998a9dcbdf853070b85c2338adb6f6d687a43080b

SHA512
fb1a603b7b411dd75583c8a220bcb406a45e2f6e3e70a8335c238f42ac1fef42eacf4f49b76d4c42f3d323df586ac1c4af9cc8a5bb1fd3d3261d2d0d3e23b062

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
58KB

MD5
75ea7abcc30ed1c33559061dc85c72f7

SHA1
d118205db1166c13b3bbbc2bb6cd248e519c72d2

SHA256
8f5f5aa0c64b085746c13ff80a9a691070910af7c8651aa04dce2758ffb61ca2

SHA512
8fdcd8d79dab3c42e385924e230503434e1037ab1a29672ec34d6c23abb0961516d95689b7f55166b08113a7c91e905f7e7eb4bd5aa9d666a33989ea662d0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
9KB

MD5
f53f841bb49937b64c3980f188c0bc1d

SHA1
5bcb1ddb613c63160944795d4704c7294d91da29

SHA256
6e8a4a023d23348c99a7d7dcd323ac3f3537f50e75327c1290cd60ed2b0d7022

SHA512
504e73f36256441c75b9b3150cffd0328afc4ab3aec9c8c0220c31959b6772cd4a1f311298c5a9222a07ae8538fbb9ec74f58016e157925265864d62a1401a06

Download Submit
memory/1188-7-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/1188-6-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1188-17-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1188-5-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2304-18-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2304-20-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2304-19-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/2304-24-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/2304-23-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/4216-22-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4216-0-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads