njrat | ee9fd41093ef9d4e21a78ab987df6ad42a6fa5dcea7ebd9c5ff1e1f388720d8e

General

Target

a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Size

104KB
MD5

a3ff56835b4bd0e80f6e95fbfc741a8e
SHA1

8af2b8e66107890df87a3c6ee9a5712228f95d8a
SHA256

ee9fd41093ef9d4e21a78ab987df6ad42a6fa5dcea7ebd9c5ff1e1f388720d8e
SHA512

1dbc80bccb87b4f1330a783fb4c2c7840cec6d9c280c261c8df2d8bdd4188ca1e779665f00cb35440660f70e95a06f178387aa113803ef0581dd2d658694107b
SSDEEP

1536:+eS3Yzxx6ZTD9Um9UoCONGAho+nuzGHRbVV3jEbgkxpPNOf5uze3S:+eS3Yzxx6R63ahJn9RStUYzeC

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

4.tcp.ngrok.io:14964

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ZbECSrTmBt = "C:\\Users\\Admin\\AppData\\Roaming\\LzYAJeGoJn\\jHHCSpKiYF.exe"	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description pid process target process

PID 2428 set thread context of 2816 2428 a3ff56835b4bd0e80f6e95fbfc741a8e.exe a3ff56835b4bd0e80f6e95fbfc741a8e.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

pid process

2816 a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description	pid	process	target process
PID 2428 set thread context of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

pid	process
2816	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a3ff56835b4bd0e80f6e95fbfc741a8e.exe

description	pid	process	target process
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe
PID 2428 wrote to memory of 2816	2428	a3ff56835b4bd0e80f6e95fbfc741a8e.exe	a3ff56835b4bd0e80f6e95fbfc741a8e.exe

C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe
"C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe
"C:\Users\Admin\AppData\Local\Temp\a3ff56835b4bd0e80f6e95fbfc741a8e.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-0-0x0000000001330000-0x0000000001350000-memory.dmp

Filesize
128KB

Download
memory/2428-1-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-2-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2428-4-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2428-18-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-19-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-20-0x00000000012C0000-0x0000000001300000-memory.dmp

Filesize
256KB

Download
memory/2816-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-21-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads