njrat | f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705

General

Target

d33dec279966da2024c05d5fde688253.exe
Size

1.2MB
MD5

d33dec279966da2024c05d5fde688253
SHA1

74bde021ba65fdd33fd420568b6a2da406ac07e8
SHA256

f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705
SHA512

67ec505fb9305493699af82de2054ebedcf033867bd9cd14bac7fef392d5f69ce9aaa61a408e67f346153aaa05c1c65aff8e0c63d99477bd04fc6e25c4262fd8
SSDEEP

24576:ANA3R5drXPrfi4T6sNNuT0Zb7mnyxuYuroyvUC0l6:55jl6GuT0tmNTrTsCe6

Score

10^/10

njrat gold trojan

Malware Config

Extracted

Family

njrat

Version

20

Botnet

gold

C2

149.248.52.61:87

Mutex

165d6ed988ac

Attributes

reg_key
165d6ed988ac
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

winhosti.exe

pid process

2304 winhosti.exe

pid	process
2304	winhosti.exe

Loads dropped DLL 4 IoCs

Processes:

d33dec279966da2024c05d5fde688253.exe

pid	process
2144	d33dec279966da2024c05d5fde688253.exe
2144	d33dec279966da2024c05d5fde688253.exe
2144	d33dec279966da2024c05d5fde688253.exe
2144	d33dec279966da2024c05d5fde688253.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2564 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

winhosti.exe

description pid process

Token: SeDebugPrivilege 2304 winhosti.exe
Token: 33 2304 winhosti.exe
Token: SeIncBasePriorityPrivilege 2304 winhosti.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2564 AcroRd32.exe
2564 AcroRd32.exe
2564 AcroRd32.exe

pid	process
2564	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2304	winhosti.exe
Token: 33	2304	winhosti.exe
Token: SeIncBasePriorityPrivilege	2304	winhosti.exe

pid	process
2564	AcroRd32.exe
2564	AcroRd32.exe
2564	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d33dec279966da2024c05d5fde688253.exe

description	pid	process	target process
PID 2144 wrote to memory of 2304	2144	d33dec279966da2024c05d5fde688253.exe	winhosti.exe
PID 2144 wrote to memory of 2304	2144	d33dec279966da2024c05d5fde688253.exe	winhosti.exe
PID 2144 wrote to memory of 2304	2144	d33dec279966da2024c05d5fde688253.exe	winhosti.exe
PID 2144 wrote to memory of 2304	2144	d33dec279966da2024c05d5fde688253.exe	winhosti.exe
PID 2144 wrote to memory of 2040	2144	d33dec279966da2024c05d5fde688253.exe	WScript.exe
PID 2144 wrote to memory of 2040	2144	d33dec279966da2024c05d5fde688253.exe	WScript.exe
PID 2144 wrote to memory of 2040	2144	d33dec279966da2024c05d5fde688253.exe	WScript.exe
PID 2144 wrote to memory of 2040	2144	d33dec279966da2024c05d5fde688253.exe	WScript.exe
PID 2144 wrote to memory of 2564	2144	d33dec279966da2024c05d5fde688253.exe	AcroRd32.exe
PID 2144 wrote to memory of 2564	2144	d33dec279966da2024c05d5fde688253.exe	AcroRd32.exe
PID 2144 wrote to memory of 2564	2144	d33dec279966da2024c05d5fde688253.exe	AcroRd32.exe
PID 2144 wrote to memory of 2564	2144	d33dec279966da2024c05d5fde688253.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\d33dec279966da2024c05d5fde688253.exe
"C:\Users\Admin\AppData\Local\Temp\d33dec279966da2024c05d5fde688253.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Roaming\winhosti.exe
"C:\Users\Admin\AppData\Roaming\winhosti.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\u.vbs"
2⤵
PID:2040

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Phase-3 of Nationwide Vaccination Registration.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
1ab9bf100c1593e436251777985a6a14

SHA1
56478aa1a24789d2c296901359980f55161ef7ba

SHA256
c7e40af812a2f9032cd1784d82b28db5bb253ae64a1b4c370be043d660b685ba

SHA512
201de6d95e84cd812db3fc3620b774440d9630e7fd90aae9251983b9f7aea598f6409c73994c548cc839455b489200a44b8a4403f903fa19684a97c412af7732

Download Submit
C:\Users\Admin\AppData\Roaming\Phase-3 of Nationwide Vaccination Registration.pdf
Filesize
956KB

MD5
0fa12ed69cc54281b003b26adc5d05a9

SHA1
5f186fb3817297baf51e8b697ed044ac437dc996

SHA256
fa344d98fdf10e10c32971dcdad234925143120e50200048b510e64c4c5c5cf4

SHA512
36d2b93a3674b5c8edba8bda3f477b4e2e889ea27862bc00a00c8fa4da31d9683ecd7a3fb1aeec78528ed997663ac3c85af1c00a06190e0a1f74d074cb5c60f9

Download Submit
C:\Users\Admin\AppData\Roaming\u.vbs
Filesize
1KB

MD5
3ce49084a8ccb465d430e750ec9a2df3

SHA1
26fdb9476e7259cc399c2cb311dfe5779d0528a6

SHA256
6d4f18ec7564d4e1abcd0c6e4697f9cd029fba5fb4889d647dacd938d9aabb65

SHA512
32892546b3526e5b877d15a531ad98e637c2caa282e0043290078456121ff648ead57a58e9740f42cf275850a87c0fac8f504958b58959740f271dd0c1b697fd

Download Submit
\Users\Admin\AppData\Roaming\winhosti.exe
Filesize
22KB

MD5
7cbc3b6a36f71c584b08fac91478f033

SHA1
e1b3fc39592cc02aa8b40487c827bc96fb3c830d

SHA256
1dab360111d8a0f59674bc5c725b88edac598dd7e0171ab7c3bc5416d45e6e89

SHA512
f85e4344be0cf30ee9d00e754dcbccfb2bd0833fb16a0a9423388fe2020981e46c20323c385f6be96e0fa52af06b859a65fc006762bd9f2f89062fb7ae180c41

Download Submit
memory/2304-23-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2304-24-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-43-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/2304-44-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-45-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing