njrat | 5e8ce92857793e8893c63bc4d032dabf6b1ab7458b0e4485e0feefed397cf205

General

Target

8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Size

110KB
MD5

8e2a38c6cccf6fbb76bdb2a1726ed878
SHA1

b69e5d43aa0502c27ff7c6e860c31515af52ff7b
SHA256

5e8ce92857793e8893c63bc4d032dabf6b1ab7458b0e4485e0feefed397cf205
SHA512

cf6d69cf1795e1e1b096683a5acd4f3c7053dd9fe77f35c5f5dea16e5948e36680275616ebb3d327e2360e848b6c9548e1b04070a0b4dab51b0261f63b5f4377
SSDEEP

3072:skjgSGGOZ1NDkBLru6HqdAGc/dw/J+jm:LgSyktrV/dQ

Score

10^/10

njrat 4 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

4

C2

rlawlsl154.codns.com:443

Mutex

a695e871b7f2f081334e678e67df6a28

Attributes

reg_key
a695e871b7f2f081334e678e67df6a28
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3040 netsh.exe

pid	process
3040	netsh.exe

Drops startup file 2 IoCs

Processes:

8e2a38c6cccf6fbb76bdb2a1726ed878.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe	8e2a38c6cccf6fbb76bdb2a1726ed878.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8e2a38c6cccf6fbb76bdb2a1726ed878.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8e2a38c6cccf6fbb76bdb2a1726ed878.exe\" .."	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8e2a38c6cccf6fbb76bdb2a1726ed878.exe\" .."	8e2a38c6cccf6fbb76bdb2a1726ed878.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

8e2a38c6cccf6fbb76bdb2a1726ed878.exe

description	ioc	process
File created	C:\autorun.inf	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
File opened for modification	C:\autorun.inf	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
File created	D:\autorun.inf	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
File created	F:\autorun.inf	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
File opened for modification	F:\autorun.inf	8e2a38c6cccf6fbb76bdb2a1726ed878.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8e2a38c6cccf6fbb76bdb2a1726ed878.exe

pid	process
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8e2a38c6cccf6fbb76bdb2a1726ed878.exe

pid process

2872 8e2a38c6cccf6fbb76bdb2a1726ed878.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

8e2a38c6cccf6fbb76bdb2a1726ed878.exe

description	pid	process
Token: SeDebugPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: 33	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe
Token: SeIncBasePriorityPrivilege	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8e2a38c6cccf6fbb76bdb2a1726ed878.exe

description	pid	process	target process
PID 2872 wrote to memory of 3040	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe	netsh.exe
PID 2872 wrote to memory of 3040	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe	netsh.exe
PID 2872 wrote to memory of 3040	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe	netsh.exe
PID 2872 wrote to memory of 3040	2872	8e2a38c6cccf6fbb76bdb2a1726ed878.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8e2a38c6cccf6fbb76bdb2a1726ed878.exe
"C:\Users\Admin\AppData\Local\Temp\8e2a38c6cccf6fbb76bdb2a1726ed878.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\8e2a38c6cccf6fbb76bdb2a1726ed878.exe" "8e2a38c6cccf6fbb76bdb2a1726ed878.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

F:\svchost.exe
Filesize
110KB

MD5
8e2a38c6cccf6fbb76bdb2a1726ed878

SHA1
b69e5d43aa0502c27ff7c6e860c31515af52ff7b

SHA256
5e8ce92857793e8893c63bc4d032dabf6b1ab7458b0e4485e0feefed397cf205

SHA512
cf6d69cf1795e1e1b096683a5acd4f3c7053dd9fe77f35c5f5dea16e5948e36680275616ebb3d327e2360e848b6c9548e1b04070a0b4dab51b0261f63b5f4377

Download Submit
memory/2872-0-0x0000000000070000-0x0000000000092000-memory.dmp

Filesize
136KB

Download
memory/2872-1-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2872-2-0x0000000074EA0000-0x000000007558E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-12-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2872-13-0x0000000074EA0000-0x000000007558E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-14-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads