njrat | f51422da0c91f9c2dcd1e87e61f0a59f64cd71915a006fd83f67be96e8cd31a5

General

Target

ImmortaL/launcherimortal.exe
Size

8.0MB
MD5

27e834cd6f7f5f0d56a8c1f50d7c8ec9
SHA1

edb4639e5b684ecc1a0d0b5676a890a58656c6e8
SHA256

850be50676a9696f263611dfce1c11fea0c3cf211fef0b9f9fccadf500135435
SHA512

3a99d21b87ad47801ee8fb81b90570daaac4d0f771963dab0c7f1b9e848e05b89a57b4c7e90d8753dc56cefcef4f5f8a122c12b1f51cfbb950e848f408b74087
SSDEEP

49152:RTWfqjVmnGoZCIKmqeinNEn3JKaBZfeYy9VwjwXzl4V4Tu0sYDcXYTWfMsoPRfjd:KxHnaeiQ7BZG39

Score

10^/10

njrat mrsvch0st persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

MrSvch0st

C2

127.0.0.1:1337

Mutex

notpad.exe

Attributes

reg_key
notpad.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeInjector.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Injector.exe

Drops startup file 3 IoCs

Processes:

notpad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notpad.exe	notpad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notpad.exe	notpad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notpad.url	notpad.exe

Executes dropped EXE 3 IoCs

Processes:

Extreme Injector v3.exeInjector.exenotpad.exe

pid process

1012 Extreme Injector v3.exe
2844 Injector.exe
1044 notpad.exe

pid	process
1012	Extreme Injector v3.exe
2844	Injector.exe
1044	notpad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

notpad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notpad.exe = "\"C:\\Windows\\notpad.exe\" .."	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notpad.exe = "\"C:\\Windows\\notpad.exe\" .."	notpad.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

25 raw.githubusercontent.com
27 raw.githubusercontent.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

launcherimortal.exe

description pid process target process

PID 3424 set thread context of 3020 3424 launcherimortal.exe RegAsm.exe
Drops file in Windows directory 2 IoCs

Processes:

Injector.exenotpad.exe

description ioc process

File created C:\Windows\notpad.exe Injector.exe
File opened for modification C:\Windows\notpad.exe notpad.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1896 schtasks.exe

flow	ioc
25	raw.githubusercontent.com
27	raw.githubusercontent.com

description	pid	process	target process
PID 3424 set thread context of 3020	3424	launcherimortal.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\notpad.exe	Injector.exe
File opened for modification	C:\Windows\notpad.exe	notpad.exe

pid	process
1896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Injector.exe

pid	process
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe
2844	Injector.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

launcherimortal.exeExtreme Injector v3.exeInjector.exenotpad.exe

description	pid	process
Token: SeDebugPrivilege	3424	launcherimortal.exe
Token: SeDebugPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: SeDebugPrivilege	2844	Injector.exe
Token: SeDebugPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: SeDebugPrivilege	1044	notpad.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1044	notpad.exe
Token: SeIncBasePriorityPrivilege	1044	notpad.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe
Token: 33	1012	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	1012	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

launcherimortal.exeRegAsm.exeInjector.execmd.exenotpad.exe

description	pid	process	target process
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3424 wrote to memory of 3020	3424	launcherimortal.exe	RegAsm.exe
PID 3020 wrote to memory of 1012	3020	RegAsm.exe	Extreme Injector v3.exe
PID 3020 wrote to memory of 1012	3020	RegAsm.exe	Extreme Injector v3.exe
PID 3020 wrote to memory of 2844	3020	RegAsm.exe	Injector.exe
PID 3020 wrote to memory of 2844	3020	RegAsm.exe	Injector.exe
PID 2844 wrote to memory of 1044	2844	Injector.exe	notpad.exe
PID 2844 wrote to memory of 1044	2844	Injector.exe	notpad.exe
PID 2844 wrote to memory of 2444	2844	Injector.exe	cmd.exe
PID 2844 wrote to memory of 2444	2844	Injector.exe	cmd.exe
PID 2444 wrote to memory of 932	2444	cmd.exe	choice.exe
PID 2444 wrote to memory of 932	2444	cmd.exe	choice.exe
PID 1044 wrote to memory of 2648	1044	notpad.exe	schtasks.exe
PID 1044 wrote to memory of 2648	1044	notpad.exe	schtasks.exe
PID 1044 wrote to memory of 1896	1044	notpad.exe	schtasks.exe
PID 1044 wrote to memory of 1896	1044	notpad.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ImmortaL\launcherimortal.exe
"C:\Users\Admin\AppData\Local\Temp\ImmortaL\launcherimortal.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\notpad.exe
"C:\Windows\notpad.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
5⤵
PID:2648

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\notpad.exe
5⤵
- Creates scheduled task(s)
PID:1896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
5⤵
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe
Filesize
39KB

MD5
1b13846a18ee3b8eb937fa095fe4174a

SHA1
aa86176dfcacc0b94cefcbd26cf4b57a87e14b75

SHA256
624183b622c0db8464b9fca9fc0fe5f0ccd0f19a2089accaec403cee23268882

SHA512
a488f3257840b6fafc354ae6f7718497f69ad19bd8b6dfb8fe4119527737b5dc40242a0ea1f1f12af662bf02f676ba7e8a66eacc96c713dae8d6bec90e0fcb21

Download Submit
memory/1012-33-0x0000000000660000-0x0000000000846000-memory.dmp

Filesize
1.9MB

Download
memory/1012-66-0x000000001B580000-0x000000001B590000-memory.dmp

Filesize
64KB

Download
memory/1012-65-0x000000001B580000-0x000000001B590000-memory.dmp

Filesize
64KB

Download
memory/1012-64-0x00007FFC52FA0000-0x00007FFC53A61000-memory.dmp

Filesize
10.8MB

Download
memory/1012-41-0x000000001B580000-0x000000001B590000-memory.dmp

Filesize
64KB

Download
memory/1012-42-0x000000001DB50000-0x000000001DB62000-memory.dmp

Filesize
72KB

Download
memory/1012-43-0x000000001C1F0000-0x000000001C22C000-memory.dmp

Filesize
240KB

Download
memory/1012-45-0x000000001B580000-0x000000001B590000-memory.dmp

Filesize
64KB

Download
memory/1012-34-0x00007FFC52FA0000-0x00007FFC53A61000-memory.dmp

Filesize
10.8MB

Download
memory/1044-63-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

Filesize
32KB

Download
memory/1044-55-0x00007FFC50F30000-0x00007FFC518D1000-memory.dmp

Filesize
9.6MB

Download
memory/1044-56-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/1044-58-0x00007FFC50F30000-0x00007FFC518D1000-memory.dmp

Filesize
9.6MB

Download
memory/1044-62-0x000000001C340000-0x000000001C3DC000-memory.dmp

Filesize
624KB

Download
memory/2844-37-0x000000001B880000-0x000000001B896000-memory.dmp

Filesize
88KB

Download
memory/2844-39-0x00007FFC50F30000-0x00007FFC518D1000-memory.dmp

Filesize
9.6MB

Download
memory/2844-40-0x00007FFC50F30000-0x00007FFC518D1000-memory.dmp

Filesize
9.6MB

Download
memory/2844-57-0x00007FFC50F30000-0x00007FFC518D1000-memory.dmp

Filesize
9.6MB

Download
memory/2844-38-0x000000001C320000-0x000000001C3C6000-memory.dmp

Filesize
664KB

Download
memory/2844-36-0x000000001BE50000-0x000000001C31E000-memory.dmp

Filesize
4.8MB

Download
memory/2844-35-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/3020-11-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3020-9-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3020-5-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3424-8-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/3424-0-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/3424-4-0x0000000007340000-0x0000000007348000-memory.dmp

Filesize
32KB

Download
memory/3424-3-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3424-2-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/3424-1-0x00000000003B0000-0x0000000000BAE000-memory.dmp

Filesize
8.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads