njrat | c2d9651404820b7dbea6d3cc78b8795f342bb7b176575b9915b2460e70bd0498

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56442e09f109c9240e38f447d3353026.exe
Size

449KB
MD5

56442e09f109c9240e38f447d3353026
SHA1

6957c1043784a2e7550cc15c5ed7c03977cc696a
SHA256

c2d9651404820b7dbea6d3cc78b8795f342bb7b176575b9915b2460e70bd0498
SHA512

689917322d15103cfe95123e7a00b82a5f83600f3d8c87adfd984b635fcaec5937279f14fafec0e51f599a37027137e340ffaca2b131abb477ea06a6860d0907
SSDEEP

12288:2yNr36BagStoIzQ1Qlrffjeuk+w2PaZghYzY:2yNz6B9QzQ10fZwewghYzY

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

127.0.0.1:5554

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CID\{55003500-5200-4700-4F00-720054003900}	56442e09f109c9240e38f447d3353026.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CID	56442e09f109c9240e38f447d3353026.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\CID\{55003500-5200-4700-4F00-720054003900}\1 = "U7GixgL4dqxSF5l0lJQDBVpHAWvXAaD70GjwcCgBEtvG1CFxGnaa6ULCv53kxDabuvnl+rBe1FJMh/JfHGrKs6q/YyHb97iYJEK0q/KdLE4DZ5gTDLD3eloYzPCHisGxrXaPJDkUxVLun7RFP+nBKtS9GRbwR3XYlxqoqpQSBHFU5I2x/1UFe3X07Z+8mWBx2CeqxKxMdGAqdWnrYcU7WTuXQEulrQyHNMrcSVESoAbepKmkVWKvL+bfcbSx3hbeQ6K/gLKaWBvd9SbXPynphJWexm69n7PapKjgpkWvyLqqvYb5MuLzKo52OILiUTxS3kiR3lbg07CwPHrW8owWMzEIVGkrw7x5CI/3HprMBM7pR5I/BI4+5ryecwT766IxRANDFYyUhgUB9STQ0FNL9hqkxx0UexkflSeRFmdV7xObQ1svJJAwnfR9ZnmrXhc4MLt/vU7GzXoQFJWv9/tzoA=="	56442e09f109c9240e38f447d3353026.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp:{55003500-5200-4700-4F00-720054003900}	56442e09f109c9240e38f447d3353026.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2412	56442e09f109c9240e38f447d3353026.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe
Token: 33	2412	56442e09f109c9240e38f447d3353026.exe
Token: SeIncBasePriorityPrivilege	2412	56442e09f109c9240e38f447d3353026.exe

C:\Users\Admin\AppData\Local\Temp\56442e09f109c9240e38f447d3353026.exe
"C:\Users\Admin\AppData\Local\Temp\56442e09f109c9240e38f447d3353026.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2412-0-0x0000000001390000-0x0000000001408000-memory.dmp

Filesize
480KB

Download
memory/2412-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-3-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2412-7-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2412-6-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2412-8-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-9-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2412-10-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download