njrat | ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82

Resubmissions

09/01/2024, 14:58

240109-scl1zaebd2 10

Analysis

max time kernel
125s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 14:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MonkeModManager.exe
Size

146KB
MD5

81933ce5ca9beb8efb6c431bc6505361
SHA1

7f88cc2b8e40a2f485f9062fc8bba4ac2793c20a
SHA256

ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82
SHA512

debad62cb7928bafc1aebf84933fe64afe7dfea06ef01588509ec7b4283a4a07eed584f40e28e40c626295c3b357b469397a664e65b90cf04d530531daddd4a8
SSDEEP

1536:z3rY49c1TiyDZESAkt4+UM3upJ7ak5C3kIJfmGY9lToGI7J3z+InbSPqZuBsv032:brYlEkXb+pJWkjbI936aSPqZuE090

Score

10^/10

njrat remcos hacked host evasion persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

dead-reviewer.gl.at.ply.gg:60161

Mutex

90319c19387bbc36810cf2f727f01c05

Attributes

reg_key
90319c19387bbc36810cf2f727f01c05
splitter
|'|'|

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

shall-someone.gl.at.ply.gg:60408

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
vindevs
keylog_path
%AppData%
mouse_option
false
mutex
remcos_kixjmsbwpikjkoa
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
60
startup_value
Dlscord
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Gebrrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Gebrrr.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Gebrrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Gebrrr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1332	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90319c19387bbc36810cf2f727f01c05Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90319c19387bbc36810cf2f727f01c05Windows Update.exe	server.exe

Executes dropped EXE 4 IoCs

pid	Process
2876	Gebrrr.exe
2716	Sczbl.bat
2852	remcos.exe
1676	server.exe

Loads dropped DLL 4 IoCs

pid	Process
2628	cmd.exe
2628	cmd.exe
2716	Sczbl.bat
2716	Sczbl.bat

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Gebrrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	Gebrrr.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Gebrrr.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	remcos.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 2892	2852	remcos.exe	35

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe
1676	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1676	server.exe
2892	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	server.exe
Token: 33	1676	server.exe
Token: SeIncBasePriorityPrivilege	1676	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2892	iexplore.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2876	2808	MonkeModManager.exe	29
PID 2808 wrote to memory of 2876	2808	MonkeModManager.exe	29
PID 2808 wrote to memory of 2876	2808	MonkeModManager.exe	29
PID 2808 wrote to memory of 2876	2808	MonkeModManager.exe	29
PID 2808 wrote to memory of 2716	2808	MonkeModManager.exe	30
PID 2808 wrote to memory of 2716	2808	MonkeModManager.exe	30
PID 2808 wrote to memory of 2716	2808	MonkeModManager.exe	30
PID 2808 wrote to memory of 2716	2808	MonkeModManager.exe	30
PID 2876 wrote to memory of 2628	2876	Gebrrr.exe	31
PID 2876 wrote to memory of 2628	2876	Gebrrr.exe	31
PID 2876 wrote to memory of 2628	2876	Gebrrr.exe	31
PID 2876 wrote to memory of 2628	2876	Gebrrr.exe	31
PID 2876 wrote to memory of 2628	2876	Gebrrr.exe	31
PID 2876 wrote to memory of 2628	2876	Gebrrr.exe	31
PID 2876 wrote to memory of 2628	2876	Gebrrr.exe	31
PID 2628 wrote to memory of 1592	2628	cmd.exe	33
PID 2628 wrote to memory of 1592	2628	cmd.exe	33
PID 2628 wrote to memory of 1592	2628	cmd.exe	33
PID 2628 wrote to memory of 1592	2628	cmd.exe	33
PID 2628 wrote to memory of 2852	2628	cmd.exe	34
PID 2628 wrote to memory of 2852	2628	cmd.exe	34
PID 2628 wrote to memory of 2852	2628	cmd.exe	34
PID 2628 wrote to memory of 2852	2628	cmd.exe	34
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2852 wrote to memory of 2892	2852	remcos.exe	35
PID 2716 wrote to memory of 1676	2716	Sczbl.bat	36
PID 2716 wrote to memory of 1676	2716	Sczbl.bat	36
PID 2716 wrote to memory of 1676	2716	Sczbl.bat	36
PID 2716 wrote to memory of 1676	2716	Sczbl.bat	36
PID 1676 wrote to memory of 1332	1676	server.exe	38
PID 1676 wrote to memory of 1332	1676	server.exe	38
PID 1676 wrote to memory of 1332	1676	server.exe	38
PID 1676 wrote to memory of 1332	1676	server.exe	38

C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
"C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
  "C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1592
  - - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
      "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2892
- C:\Users\Admin\AppData\Local\Temp\Sczbl.bat
  "C:\Users\Admin\AppData\Local\Temp\Sczbl.bat"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe

Filesize
92KB

MD5
f5b9830d4d8d3e46ac5cf7c0203cecf7

SHA1
0fee86b7327672435801d5da3c453326398fb1c9

SHA256
9b9b86d55832e34a68a293d5ec6deb8a8835d45410e28969cb60856351c834b6

SHA512
e343de8d73437acdce8eb1f5149e4e6cb1e700eaad51f7ef219b6bb4117b1b8aacf7f6290c9dd4b41c18103ee29ee65b010af1a53f5db73b66ca911c760462aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sczbl.bat

Filesize
93KB

MD5
a2678bbd0eace916ffeb692085da3ce3

SHA1
4962672978e14a77eddc7992296faa88f68cfc0e

SHA256
0d1e495ca174082e5f51835d1fab22a9a664e83dd06cbd6670617cbb1c30a456

SHA512
8f773d8bf5389953d886074f9da65e7114479d05e63f1f60da66db89381e06d5c9e8780d03131d89ffe01c1be5daf5c020fa201ded7048d70c15f9261752d861

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
76c1687d97dfdbcea62ef1490bec5001

SHA1
5f4d1aeafa7d840cde67b76f97416dd68efd1bed

SHA256
79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

SHA512
da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
7a8184d640ef6cdf954a7f10b80dc908

SHA1
541efc229f03c114a3e8f8413a293947e2578e82

SHA256
f82cb3b7c58b97a0b99662278b17e1cfb211ac7db5640f116ee2cc78475a1887

SHA512
cfa2535b3f842bc525b5d07053fd0267bbdea903364965971b472a172395c557d716b3caa5330a80c197331ce6b0fa6c1d3cb9bed4ae290fc4a8190479425659

Download Submit
memory/1676-57-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-58-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/1676-67-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-68-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/1676-59-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-42-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-43-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-44-0x0000000000A90000-0x0000000000AD0000-memory.dmp

Filesize
256KB

Download
memory/2716-56-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-0-0x0000000000960000-0x000000000098A000-memory.dmp

Filesize
168KB

Download
memory/2808-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-2-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/2808-29-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-35-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download