Overview

overview

10

Static

static

10

Server.exe

windows7-x64

10

Server.exe

windows10-1703-x64

10

Server.exe

windows10-2004-x64

10

Server.exe

windows11-21h2-x64

10

Resubmissions

22-05-2024 18:16

240522-wweyjsbe8v 10

22-05-2024 18:15

240522-wwchesbe7y 10

22-05-2024 18:11

240522-wslxpabd6s 10

22-05-2024 18:10

240522-wsfqnsbe44 10

22-05-2024 18:10

240522-wsdajsbe39 10

22-05-2024 18:10

240522-wr9mcsbd5w 10

22-05-2024 18:10

240522-wr668sbe32 10

22-05-2024 18:10

240522-wr35ksbe27 10

22-05-2024 18:08

240522-wq26wsbd64 10

22-05-2024 18:08

240522-wqx7yabd57 10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    43KB

  • MD5

    49ad4c0475749e6dd6001f5a038ab6a8

  • SHA1

    4e31ba96d944bb61c65e459153f5762ebde54338

  • SHA256

    a024d7bd35a2ecef3773792aa82d46522e6ee0d170e8b5a84acae765ddc058b2

  • SHA512

    4304e871c505b2a0bf6a12292ac50e7c6665c6b73138f6501f3c091a5bc2d41c6237c6a019a03530d451bb7b35241c89ac71478c283af2ee57e488fb55bca087

  • SSDEEP

    384:tbZyjJ61STss7yKS9po7QAMExZZS23zsIij+ZsNO3PlpJKkkjh/TzF7pWnXmgreT:/0Qk4smKS3OR9Z0OuXQ/o6C+L

Score
10/10
njrathackedspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

19.ip.gl.ply.gg:60143

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\4042871"
      2⤵
        PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2176-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2176-1-0x0000000001140000-0x0000000001152000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2176-2-0x00000000743F0000-0x0000000074ADE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2176-3-0x00000000743F0000-0x0000000074ADE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2176-4-0x00000000743FE000-0x00000000743FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2176-5-0x00000000743F0000-0x0000000074ADE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2176-6-0x00000000743F0000-0x0000000074ADE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2176-7-0x0000000000770000-0x00000000007B6000-memory.dmp

      Filesize

      280KB

      Download