njrat | e9eb7ce697b5dd84e2189ad96a618d34016781e3e05e48529f39a368fd9f000d

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 11:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abcd969ee379cbe42f3a4513513ab578.exe
Size

538KB
MD5

abcd969ee379cbe42f3a4513513ab578
SHA1

ae012c3c2ca7e316af5c2a37d576124fa969cfe3
SHA256

e9eb7ce697b5dd84e2189ad96a618d34016781e3e05e48529f39a368fd9f000d
SHA512

13314a089a660f5f44b895e8c821bd60a03150b93733f25dc600e30e7899a647802dd3211ad62539ae5a39c682e783df0f617a58158009101ab446d176a27af3
SSDEEP

12288:8TdK0Js33WdFuUfbFfHAAGdqV/OOu2zYRs:8Tc0Js3aFuUfbFfHAAGdqV/Of2zYRs

Score

10^/10

njrat inviter2 trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

inviter2

server77.ddns.net:5556

Mutex

e6dfe525c9e72b16ec2dd106adf4118f

Attributes

reg_key
e6dfe525c9e72b16ec2dd106adf4118f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
3056	test.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3024	3048	abcd969ee379cbe42f3a4513513ab578.exe	29
PID 3048 wrote to memory of 3024	3048	abcd969ee379cbe42f3a4513513ab578.exe	29
PID 3048 wrote to memory of 3024	3048	abcd969ee379cbe42f3a4513513ab578.exe	29
PID 3048 wrote to memory of 3024	3048	abcd969ee379cbe42f3a4513513ab578.exe	29
PID 3024 wrote to memory of 3056	3024	cmd.exe	30
PID 3024 wrote to memory of 3056	3024	cmd.exe	30
PID 3024 wrote to memory of 3056	3024	cmd.exe	30
PID 3024 wrote to memory of 3056	3024	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\abcd969ee379cbe42f3a4513513ab578.exe
"C:\Users\Admin\AppData\Local\Temp\abcd969ee379cbe42f3a4513513ab578.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
23KB

MD5
63546cf3269a13a27fa4df0b767b1c82

SHA1
2fc6ab48726771b4d288608118da204f6f94f6f5

SHA256
e1d3fbf4ca5ff1aacb867947fd087b795f6ac32cbf632f1ab29153923da8ec97

SHA512
38b7df400750b465e5cb569c2f57e9012d8f98d2f7be439f3cd6082800c5cc7d5fc38f5c900f122aa58dbc120fe4d7a1d8bd1b90730e94a4fe31bd3699792aad

Download Submit
memory/3048-4-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download