njrat | 682061b30d5c929bd31e5d23a1a736ead65f124d16732f4e3de2ea973daf0f66

General

Target

6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
Size

37KB
MD5

a78337c1b891d73341d4012dc77fbea1
SHA1

e80f17b9e3650d9461234efe9cbca0cd96b0b0fb
SHA256

6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f
SHA512

7c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73
SSDEEP

384:q2aIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXKL:TFmV10b3+LCtCViVrM+rMRa8NuzWt

Score

10^/10

njrat max evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

MAX

C2

0.tcp.eu.ngrok.io:13241

Mutex

0557bafb14c73fcc927e4c1c97522cd6

Attributes

reg_key
0557bafb14c73fcc927e4c1c97522cd6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1600 netsh.exe

pid	process
1600	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

4624 svhost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

38 0.tcp.eu.ngrok.io
88 0.tcp.eu.ngrok.io
128 0.tcp.eu.ngrok.io
133 0.tcp.eu.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4624	svhost.exe

flow	ioc
38	0.tcp.eu.ngrok.io
88	0.tcp.eu.ngrok.io
128	0.tcp.eu.ngrok.io
133	0.tcp.eu.ngrok.io

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

svhost.exe

description	pid	process
Token: SeDebugPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe
Token: 33	4624	svhost.exe
Token: SeIncBasePriorityPrivilege	4624	svhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exesvhost.exe

description	pid	process	target process
PID 528 wrote to memory of 4624	528	6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe	svhost.exe
PID 528 wrote to memory of 4624	528	6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe	svhost.exe
PID 528 wrote to memory of 4624	528	6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe	svhost.exe
PID 4624 wrote to memory of 1600	4624	svhost.exe	netsh.exe
PID 4624 wrote to memory of 1600	4624	svhost.exe	netsh.exe
PID 4624 wrote to memory of 1600	4624	svhost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe
"C:\Users\Admin\AppData\Local\Temp\6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Roaming\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
37KB

MD5
a78337c1b891d73341d4012dc77fbea1

SHA1
e80f17b9e3650d9461234efe9cbca0cd96b0b0fb

SHA256
6339af085c42edefc5bff55a84c66e8945a567eb193cc29b497aeb0233d53e0f

SHA512
7c21e0680442c2c170cd494e32709c367e47a955ac2e61dd1f223e31ef5d400cb11eb2d5420943cc343c05df0b1b654575d2e7364f1706e42c664af4f4d0df73

Download Submit
memory/528-0-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/528-1-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/528-2-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/528-12-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4624-14-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download
memory/4624-13-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4624-15-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4624-16-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads