njrat | 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4

General

Target

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
Size

9.0MB
MD5

8e575057308494a02213dd094240048f
SHA1

e14cb5b49926f48417fd3b3ce55282c20f0e2f41
SHA256

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4
SHA512

e50a74e824d4e1050893b4d19f63ce4298a0679d982d42b3a49e74fb6fa1664f29e26e24738263aca364a3bffa9659caa98149147a3bb1d2ca37f42a531db3ea
SSDEEP

196608:Y0jlDwGcsAgejtcGfcY3gtAXSdyowjcOSP9FtCNb:1k3meBcGfdrSNm47CNb

Score

10^/10

njrat hacked evasion persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

icpanel.hackcrack.io:40544

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2144 netsh.exe
Executes dropped EXE 7 IoCs

Processes:

Setup.exeSetup.execheck .exesvchost.execheck .exeexplorer.exeexplorer.exe

pid process

2600 Setup.exe
2716 Setup.exe
2828 check .exe
2724 svchost.exe
1704 check .exe
2872 explorer.exe
1440 explorer.exe
Loads dropped DLL 4 IoCs

Processes:

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.execheck .execheck .exe

pid process

2020 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
3048
2828 check .exe
1704 check .exe

pid	process
2144	netsh.exe

pid	process
2600	Setup.exe
2716	Setup.exe
2828	check .exe
2724	svchost.exe
1704	check .exe
2872	explorer.exe
1440	explorer.exe

pid	process
2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
3048
2828	check .exe
1704	check .exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Setup.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\check .exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe
Token: 33	1440	explorer.exe
Token: SeIncBasePriorityPrivilege	1440	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exeSetup.execheck .exesvchost.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2020 wrote to memory of 2600	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 2020 wrote to memory of 2600	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 2020 wrote to memory of 2600	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 2020 wrote to memory of 2716	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 2020 wrote to memory of 2716	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 2020 wrote to memory of 2716	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 2020 wrote to memory of 2828	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 2020 wrote to memory of 2828	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 2020 wrote to memory of 2828	2020	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 2716 wrote to memory of 2724	2716	Setup.exe	svchost.exe
PID 2716 wrote to memory of 2724	2716	Setup.exe	svchost.exe
PID 2716 wrote to memory of 2724	2716	Setup.exe	svchost.exe
PID 2828 wrote to memory of 1704	2828	check .exe	check .exe
PID 2828 wrote to memory of 1704	2828	check .exe	check .exe
PID 2828 wrote to memory of 1704	2828	check .exe	check .exe
PID 2724 wrote to memory of 2872	2724	svchost.exe	explorer.exe
PID 2724 wrote to memory of 2872	2724	svchost.exe	explorer.exe
PID 2724 wrote to memory of 2872	2724	svchost.exe	explorer.exe
PID 2872 wrote to memory of 1440	2872	explorer.exe	explorer.exe
PID 2872 wrote to memory of 1440	2872	explorer.exe	explorer.exe
PID 2872 wrote to memory of 1440	2872	explorer.exe	explorer.exe
PID 1440 wrote to memory of 2144	1440	explorer.exe	netsh.exe
PID 1440 wrote to memory of 2144	1440	explorer.exe	netsh.exe
PID 1440 wrote to memory of 2144	1440	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
"C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
PID:2600

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2144

C:\Users\Admin\AppData\Local\Temp\check .exe
"C:\Users\Admin\AppData\Local\Temp\check .exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\check .exe
"C:\Users\Admin\AppData\Local\Temp\check .exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
375KB

MD5
8e4f8329f0837d6a3801dd96973a05fe

SHA1
7309226e370a33000c08653504f2ac5786944b2b

SHA256
0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

SHA512
9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28282\python311.dll
Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
163KB

MD5
c833287873afe73c333638e4d187c666

SHA1
4aa5686878ed71c4d27996449854e63107165b98

SHA256
a9a387bafca70c8bce39473ee63df9fb439d15ba83b6b26e84f91fc920c1f39f

SHA512
a949d0d6143405f3bb98589e67856a5971a8b23d35536b13ad3aae4b51c53de256315d8deaf609f49e8fe9ccf39e59e95b0cecef2619d5d08f3059a9254ae006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
252KB

MD5
e5d01a5a8cc5c5ca9a5329459814c91a

SHA1
00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

SHA256
612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

SHA512
2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

Download Submit
\Users\Admin\AppData\Local\Temp\check .exe
Filesize
8.6MB

MD5
d74eb99109dc495ab735264ba68edb06

SHA1
a7b5b1471c2e8f46d3e3d5340435d8a148fd285d

SHA256
26789e493fb9cc881d40e0eed7609fd390eb76196c91c4fc7be9ac7cbb11b41a

SHA512
b715d226c70edfa5b413e7989a0f56ee4c5765b16f273f04bdfd6afb11fd1ba02638aa08d5f47e340eabab0397a3f300618cbcb2d49a921734b3bcfd09e0f643

Download Submit
memory/2020-0-0x000007FEF567E000-0x000007FEF567F000-memory.dmp

Filesize
4KB

Download
memory/2020-26-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-4-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-2-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-16-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-28-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-14-0x000007FEF53C0000-0x000007FEF5D5D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-89-0x0000000001EA0000-0x0000000001EAC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads