njrat | 7f87b2efb3dc694da0b65f3742aa77ffd637c5efa155d564f93d127768d34036

Analysis

max time kernel
69s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ae62580f5aa1991404d2f948e82f720.exe
Size

876KB
MD5

3ae62580f5aa1991404d2f948e82f720
SHA1

5e10758d2fe22c8abc1de1e1eabb5e78f2821c23
SHA256

7f87b2efb3dc694da0b65f3742aa77ffd637c5efa155d564f93d127768d34036
SHA512

1a1b60a22317c900d38559ee489a1596fe0e702e05cc8686ee1081881c37c607d38ad7aec52c1d8e15b69b56443554fe07f74325145db5c666c88fb5edcfd77d
SSDEEP

12288:c5O5H7IXHwpg9vQutzWIbBrzvDoBCZQnWWm:c4O74ISIbBciWWW

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

gbarpresencewriterststart.duckdns.org:8651

Mutex

39b8c92c149

Attributes

reg_key
39b8c92c149
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2716	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3ae62580f5aa1991404d2f948e82f720.exe
"C:\Users\Admin\AppData\Local\Temp\3ae62580f5aa1991404d2f948e82f720.exe"
1⤵
PID:944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3ae62580f5aa1991404d2f948e82f720.exe"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LdGlhD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LdGlhD.exe"
  2⤵
  PID:2840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LdGlhD.exe"
  2⤵
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA4D.tmp

Filesize
1KB

MD5
2469f92fbd4be742f26ad67e6bb34d44

SHA1
01daf01ebec5d60e8faa4c4c0b3ca51c46ad69e4

SHA256
bb58628486c4687131313e7b4db81046f31479b386e817a0c8497aa758f482fb

SHA512
7d13e510e3d68e5a749130975c52d162a3e19587d85f96fea3f549362854fc26714d13b70a2eafb5867b24b3224ec1482373bcd3be4501703f576d6140a2ca4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e44d43d8eebcc5ceab8662903c4a6902

SHA1
c5376528bf3b81bf7388a502a08c5e42a1d7a8da

SHA256
a60744784d7f5602ccdded43d0772755c5792888e6d444cd82234b8c0758783e

SHA512
b339352909e736f0d51fd6b562120a0c9a33f6fd2df16f4996bd6b71dd2ffd7fa62d2e9856f99c68643d52f5a1c85654976e9262ded74bd9c03c6abf93b149dc

Download Submit
memory/944-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/944-55-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/944-1-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/944-5-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/944-7-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/944-6-0x00000000004E0000-0x000000000055E000-memory.dmp

Filesize
504KB

Download
memory/944-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/944-3-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/944-0-0x0000000000E40000-0x0000000000F20000-memory.dmp

Filesize
896KB

Download
memory/1300-56-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-47-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-26-0x0000000002A90000-0x0000000002AD0000-memory.dmp

Filesize
256KB

Download
memory/1300-38-0x0000000002A90000-0x0000000002AD0000-memory.dmp

Filesize
256KB

Download
memory/1300-32-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-34-0x0000000002A90000-0x0000000002AD0000-memory.dmp

Filesize
256KB

Download
memory/2568-22-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-36-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2568-57-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-24-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2568-20-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-21-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2840-40-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/2840-43-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-45-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/2840-49-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-58-0x000000006EAB0000-0x000000006F05B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-41-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-54-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-48-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-37-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-59-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2852-60-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2852-61-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads