njrat | ee9fd41093ef9d4e21a78ab987df6ad42a6fa5dcea7ebd9c5ff1e1f388720d8e

General

Target

a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Size

104KB
MD5

a3ff56835b4bd0e80f6e95fbfc741a8e
SHA1

8af2b8e66107890df87a3c6ee9a5712228f95d8a
SHA256

ee9fd41093ef9d4e21a78ab987df6ad42a6fa5dcea7ebd9c5ff1e1f388720d8e
SHA512

1dbc80bccb87b4f1330a783fb4c2c7840cec6d9c280c261c8df2d8bdd4188ca1e779665f00cb35440660f70e95a06f178387aa113803ef0581dd2d658694107b
SSDEEP

1536:+eS3Yzxx6ZTD9Um9UoCONGAho+nuzGHRbVV3jEbgkxpPNOf5uze3S:+eS3Yzxx6R63ahJn9RStUYzeC

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

4.tcp.ngrok.io:14964

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ZbECSrTmBt = "C:\\Users\\Admin\\AppData\\Roaming\\LzYAJeGoJn\\jHHCSpKiYF.exe"	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description pid process target process

PID 3652 set thread context of 3660 3652 a3ff56835b4bd0e80f6e95fbfc741a8e.exe a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

pid process

3652 a3ff56835b4bd0e80f6e95fbfc741a8e.exe
3652 a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

pid process

3660 a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description	pid	process	target process
PID 3652 set thread context of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

pid	process
3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

pid	process
3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exea3ff56835b4bd0e80f6e95fbfc741a8e.exe

description	pid	process
Token: SeDebugPrivilege	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeDebugPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: 33	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Token: SeIncBasePriorityPrivilege	3660	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description	pid	process	target process
PID 3652 wrote to memory of 1120	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 1120	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 1120	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 3652 wrote to memory of 3660	3652	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe
"C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe
"C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe
"C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe"
2⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a3ff56835b4bd0e80f6e95fbfc741a8e.exe.log
Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
memory/3652-4-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/3652-2-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/3652-0-0x0000000000710000-0x0000000000730000-memory.dmp

Filesize
128KB

Download
memory/3652-5-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/3652-7-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/3652-16-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3652-3-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/3652-1-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3660-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3660-11-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3660-13-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/3660-14-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/3660-15-0x0000000006930000-0x0000000006948000-memory.dmp

Filesize
96KB

Download
memory/3660-12-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3660-17-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/3660-18-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads