njrat | b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881

General

Target

b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe
Size

385KB
MD5

4196a59f10b43921440543c917f554ca
SHA1

10bd8d5c3a4bb567e114cef625c1da913711b694
SHA256

b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881
SHA512

c9812503149aacd1b1bd9cf354570562e97518f3c614b5f7af93617266303a969f7970196c3a1ed785ffe68a68af2c8f9f72f00d33610d8cecf238409eb58e19
SSDEEP

384:pnc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZr/jGZUwh:pcIU0tw3RpcnuAASoAeN/

Score

10^/10

njrat superantispyware evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SUPERAntiSpyware

C2

speedrace.ddns.net:1337

Mutex

52b9d4a87e4a68d91bb1d92c8b16d19a

Attributes

reg_key
52b9d4a87e4a68d91bb1d92c8b16d19a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2552	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52b9d4a87e4a68d91bb1d92c8b16d19a.exe	Windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52b9d4a87e4a68d91bb1d92c8b16d19a.exe	Windows.exe

Executes dropped EXE 1 IoCs

pid	Process
1448	Windows.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\52b9d4a87e4a68d91bb1d92c8b16d19a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\52b9d4a87e4a68d91bb1d92c8b16d19a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .."	Windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe
Token: 33	1448	Windows.exe
Token: SeIncBasePriorityPrivilege	1448	Windows.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1448	2168	b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe	28
PID 2168 wrote to memory of 1448	2168	b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe	28
PID 2168 wrote to memory of 1448	2168	b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe	28
PID 2168 wrote to memory of 1448	2168	b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe	28
PID 1448 wrote to memory of 2552	1448	Windows.exe	29
PID 1448 wrote to memory of 2552	1448	Windows.exe	29
PID 1448 wrote to memory of 2552	1448	Windows.exe	29
PID 1448 wrote to memory of 2552	1448	Windows.exe	29

C:\Users\Admin\AppData\Local\Temp\b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe
"C:\Users\Admin\AppData\Local\Temp\b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\Windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
385KB

MD5
4196a59f10b43921440543c917f554ca

SHA1
10bd8d5c3a4bb567e114cef625c1da913711b694

SHA256
b8b3f7d84c7e47db900850a98648e225fa135f9ec59dcb1b6123c1ba2c701881

SHA512
c9812503149aacd1b1bd9cf354570562e97518f3c614b5f7af93617266303a969f7970196c3a1ed785ffe68a68af2c8f9f72f00d33610d8cecf238409eb58e19

Download Submit
memory/1448-11-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-12-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/1448-13-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-15-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-16-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/1448-17-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-0-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-2-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/2168-1-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-10-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads