njrat | c4a303a933d34ae05da9b5208a1b523a4e0a53c40d648457b124338b8cede1ff

General

Target

7ece92212c59df419305a7915b0deb40.exe
Size

148KB
MD5

7ece92212c59df419305a7915b0deb40
SHA1

d39d2595dc53bec55ac4fa6262feb5ceb1e8637e
SHA256

c4a303a933d34ae05da9b5208a1b523a4e0a53c40d648457b124338b8cede1ff
SHA512

66ddb7692d0921b70f7cde29f0a7dc5d35f7bd8c0e78c97b9fe583e9a8379fd4915cdd746c868fa19ac8476ec7c6f137835c141523412810580077e99e6a8079
SSDEEP

3072:mR99ArBvfOBSdThazVJXdQ5/AdaAEUJ7XlE3pYLSxwp3Sb8:ocB1d9iXeSU87XlE+OxwpCb

Score

10^/10

njrat 4 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

4

C2

rlawlsl154.codns.com:443

Mutex

a695e871b7f2f081334e678e67df6a28

Attributes

reg_key
a695e871b7f2f081334e678e67df6a28
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4632 netsh.exe

pid	process
4632	netsh.exe

Drops startup file 2 IoCs

Processes:

7ece92212c59df419305a7915b0deb40.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe	7ece92212c59df419305a7915b0deb40.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe	7ece92212c59df419305a7915b0deb40.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7ece92212c59df419305a7915b0deb40.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7ece92212c59df419305a7915b0deb40.exe\" .."	7ece92212c59df419305a7915b0deb40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7ece92212c59df419305a7915b0deb40.exe\" .."	7ece92212c59df419305a7915b0deb40.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

7ece92212c59df419305a7915b0deb40.exe

description	ioc	process
File created	D:\autorun.inf	7ece92212c59df419305a7915b0deb40.exe
File created	F:\autorun.inf	7ece92212c59df419305a7915b0deb40.exe
File opened for modification	F:\autorun.inf	7ece92212c59df419305a7915b0deb40.exe
File created	C:\autorun.inf	7ece92212c59df419305a7915b0deb40.exe
File opened for modification	C:\autorun.inf	7ece92212c59df419305a7915b0deb40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7ece92212c59df419305a7915b0deb40.exe

pid	process
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe
496	7ece92212c59df419305a7915b0deb40.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7ece92212c59df419305a7915b0deb40.exe

pid process

496 7ece92212c59df419305a7915b0deb40.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

7ece92212c59df419305a7915b0deb40.exe

description	pid	process
Token: SeDebugPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe
Token: 33	496	7ece92212c59df419305a7915b0deb40.exe
Token: SeIncBasePriorityPrivilege	496	7ece92212c59df419305a7915b0deb40.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7ece92212c59df419305a7915b0deb40.exe

description	pid	process	target process
PID 496 wrote to memory of 4632	496	7ece92212c59df419305a7915b0deb40.exe	netsh.exe
PID 496 wrote to memory of 4632	496	7ece92212c59df419305a7915b0deb40.exe	netsh.exe
PID 496 wrote to memory of 4632	496	7ece92212c59df419305a7915b0deb40.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe
"C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe" "7ece92212c59df419305a7915b0deb40.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

F:\svchost.exe
Filesize
148KB

MD5
7ece92212c59df419305a7915b0deb40

SHA1
d39d2595dc53bec55ac4fa6262feb5ceb1e8637e

SHA256
c4a303a933d34ae05da9b5208a1b523a4e0a53c40d648457b124338b8cede1ff

SHA512
66ddb7692d0921b70f7cde29f0a7dc5d35f7bd8c0e78c97b9fe583e9a8379fd4915cdd746c868fa19ac8476ec7c6f137835c141523412810580077e99e6a8079

Download Submit
memory/496-0-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/496-1-0x0000000000D60000-0x0000000000D8E000-memory.dmp

Filesize
184KB

Download
memory/496-2-0x00000000057A0000-0x000000000583C000-memory.dmp

Filesize
624KB

Download
memory/496-3-0x0000000001850000-0x0000000001860000-memory.dmp

Filesize
64KB

Download
memory/496-4-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/496-14-0x0000000005C40000-0x0000000005CD2000-memory.dmp

Filesize
584KB

Download
memory/496-15-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/496-16-0x00000000066F0000-0x00000000066FA000-memory.dmp

Filesize
40KB

Download
memory/496-17-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads