njrat | ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82

Resubmissions

09/01/2024, 14:58

240109-scl1zaebd2 10

Analysis

max time kernel
0s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 14:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MonkeModManager.exe
Size

146KB
MD5

81933ce5ca9beb8efb6c431bc6505361
SHA1

7f88cc2b8e40a2f485f9062fc8bba4ac2793c20a
SHA256

ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82
SHA512

debad62cb7928bafc1aebf84933fe64afe7dfea06ef01588509ec7b4283a4a07eed584f40e28e40c626295c3b357b469397a664e65b90cf04d530531daddd4a8
SSDEEP

1536:z3rY49c1TiyDZESAkt4+UM3upJ7ak5C3kIJfmGY9lToGI7J3z+InbSPqZuBsv032:brYlEkXb+pJWkjbI936aSPqZuE090

Score

10^/10

njrat remcos hacked host evasion rat trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

dead-reviewer.gl.at.ply.gg:60161

Mutex

90319c19387bbc36810cf2f727f01c05

Attributes

reg_key
90319c19387bbc36810cf2f727f01c05
splitter
|'|'|

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

shall-someone.gl.at.ply.gg:60408

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
vindevs
keylog_path
%AppData%
mouse_option
false
mutex
remcos_kixjmsbwpikjkoa
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
60
startup_value
Dlscord
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2344	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2648	PING.EXE

C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
"C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
1⤵
PID:4304
- C:\Users\Admin\AppData\Local\Temp\Sczbl.bat
  "C:\Users\Admin\AppData\Local\Temp\Sczbl.bat"
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    PID:4356
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2344
- C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
  "C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe"
  2⤵
  PID:4820

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
1⤵
- Runs ping.exe
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
1⤵
PID:4196
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
  2⤵
  PID:4240

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
1⤵
PID:2744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x40c
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe

Filesize
20KB

MD5
b1f7f0e093ec0e070858e6c7d0e6093e

SHA1
62e8ac46e89eaf33f20f83651ad68c7483906e09

SHA256
082d5bad1d4aa6caed721c096286045647f94af0c13942e2716cbb38e2b53157

SHA512
fb005e36970274cb080f3f0ae7486f8848482036616e2a8394d50d62e6100b955df5170d1d9e1650b17ca52d7b465457d47152321048c72625801dd2d858edd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe

Filesize
47KB

MD5
fa7b0b3afe2b22d5a8c08f5e60af7834

SHA1
f5fc259b50c97ff279fd11925396c7a18ae3e388

SHA256
29d3bee2687e2b626bfc4afe82c12f55c49be941eb632455bbb75167b06e02e4

SHA512
07080edce7d785fed0c72bb86a6ac983152ee10a2da4da34bd04f45277c90738ec0ac98b47d80389dc31050f85825350326ec852a9c58786af83124539e5f124

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe

Filesize
7KB

MD5
31b45f8ed075b8f48407acd819cfd8a0

SHA1
0fe27d1e8eae1bc5c2a2e53313abce7644e82b27

SHA256
6b3280439573df38567c996f84c0badbd47e8676cc360ad040ecc87a577f09ab

SHA512
066858ba77494f9f297bb6f360e39870a51ae40ae3dc533d0a86cd71fea77abcb606996b9d0bd5eda9a81a0f4b56da94de93cbff15d1b51fd6b50484384a8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sczbl.bat

Filesize
58KB

MD5
58c5c3acea931d3cb53949c86f6e9c37

SHA1
856a50a03b0bbf1f1caf9cdb987aaf662c1a34f2

SHA256
e81652600b251c99551445a9ae7143d5cd07ee4143745af0413661ab678c902e

SHA512
c5d408aacade6b4d6e705678de29dc314a361f95f5470e8fb295e2c8db344b4a1aa9f4936dd2918bb65a2993765c206bbc17af3d346778cb815e33631635430f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sczbl.bat

Filesize
9KB

MD5
8249ac4334401b63f8b4735bd2baca54

SHA1
fc52bcecc4b829ea7414b2c22e6f6399eec727c5

SHA256
980800d3357abfeef5af5c13b19ffe030be8f657046d78b7c54bb19a6fd2f447

SHA512
837c97febe4f59242a4c9f65a8e78ea008f780887affa7468ddc08ac07e43a63d6409d83034d92bfbf3530e47a57fac15fbba9e86db8b339f538e9920b298731

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
76c1687d97dfdbcea62ef1490bec5001

SHA1
5f4d1aeafa7d840cde67b76f97416dd68efd1bed

SHA256
79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

SHA512
da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
a2678bbd0eace916ffeb692085da3ce3

SHA1
4962672978e14a77eddc7992296faa88f68cfc0e

SHA256
0d1e495ca174082e5f51835d1fab22a9a664e83dd06cbd6670617cbb1c30a456

SHA512
8f773d8bf5389953d886074f9da65e7114479d05e63f1f60da66db89381e06d5c9e8780d03131d89ffe01c1be5daf5c020fa201ded7048d70c15f9261752d861

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
7a8184d640ef6cdf954a7f10b80dc908

SHA1
541efc229f03c114a3e8f8413a293947e2578e82

SHA256
f82cb3b7c58b97a0b99662278b17e1cfb211ac7db5640f116ee2cc78475a1887

SHA512
cfa2535b3f842bc525b5d07053fd0267bbdea903364965971b472a172395c557d716b3caa5330a80c197331ce6b0fa6c1d3cb9bed4ae290fc4a8190479425659

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Filesize
92KB

MD5
f5b9830d4d8d3e46ac5cf7c0203cecf7

SHA1
0fee86b7327672435801d5da3c453326398fb1c9

SHA256
9b9b86d55832e34a68a293d5ec6deb8a8835d45410e28969cb60856351c834b6

SHA512
e343de8d73437acdce8eb1f5149e4e6cb1e700eaad51f7ef219b6bb4117b1b8aacf7f6290c9dd4b41c18103ee29ee65b010af1a53f5db73b66ca911c760462aa

Download Submit
memory/864-21-0x0000000074090000-0x0000000074641000-memory.dmp

Filesize
5.7MB

Download
memory/864-22-0x0000000074090000-0x0000000074641000-memory.dmp

Filesize
5.7MB

Download
memory/864-23-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/864-37-0x0000000074090000-0x0000000074641000-memory.dmp

Filesize
5.7MB

Download
memory/4240-91-0x0000000000460000-0x0000000000467000-memory.dmp

Filesize
28KB

Download
memory/4240-90-0x0000000000460000-0x0000000000467000-memory.dmp

Filesize
28KB

Download
memory/4304-2-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/4304-0-0x0000000000D20000-0x0000000000D4A000-memory.dmp

Filesize
168KB

Download
memory/4304-17-0x00007FF9386E0000-0x00007FF9391A1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-1-0x00007FF9386E0000-0x00007FF9391A1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-40-0x0000000074090000-0x0000000074641000-memory.dmp

Filesize
5.7MB

Download
memory/4356-81-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4356-84-0x0000000074090000-0x0000000074641000-memory.dmp

Filesize
5.7MB

Download
memory/4356-85-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4356-86-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4356-38-0x0000000074090000-0x0000000074641000-memory.dmp

Filesize
5.7MB

Download
memory/4356-39-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads