njrat | 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4

General

Target

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
Size

9.0MB
MD5

8e575057308494a02213dd094240048f
SHA1

e14cb5b49926f48417fd3b3ce55282c20f0e2f41
SHA256

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4
SHA512

e50a74e824d4e1050893b4d19f63ce4298a0679d982d42b3a49e74fb6fa1664f29e26e24738263aca364a3bffa9659caa98149147a3bb1d2ca37f42a531db3ea
SSDEEP

196608:Y0jlDwGcsAgejtcGfcY3gtAXSdyowjcOSP9FtCNb:1k3meBcGfdrSNm47CNb

Score

10^/10

njrat hacked evasion persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

icpanel.hackcrack.io:40544

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2368 netsh.exe
Executes dropped EXE 7 IoCs

Processes:

Setup.exeSetup.execheck .exesvchost.execheck .exeexplorer.exeexplorer.exe

pid process

3004 Setup.exe
2640 Setup.exe
2564 check .exe
2488 svchost.exe
112 check .exe
3052 explorer.exe
3048 explorer.exe
Loads dropped DLL 4 IoCs

Processes:

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.execheck .execheck .exe

pid process

1340 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
2644
2564 check .exe
112 check .exe

pid	process
2368	netsh.exe

pid	process
3004	Setup.exe
2640	Setup.exe
2564	check .exe
2488	svchost.exe
112	check .exe
3052	explorer.exe
3048	explorer.exe

pid	process
1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
2644
2564	check .exe
112	check .exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Setup.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\check .exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeDebugPrivilege	3048	explorer.exe
Token: 33	3048	explorer.exe
Token: SeIncBasePriorityPrivilege	3048	explorer.exe
Token: 33	3048	explorer.exe
Token: SeIncBasePriorityPrivilege	3048	explorer.exe
Token: 33	3048	explorer.exe
Token: SeIncBasePriorityPrivilege	3048	explorer.exe
Token: 33	3048	explorer.exe
Token: SeIncBasePriorityPrivilege	3048	explorer.exe
Token: 33	3048	explorer.exe
Token: SeIncBasePriorityPrivilege	3048	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exeSetup.execheck .exesvchost.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1340 wrote to memory of 3004	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 1340 wrote to memory of 3004	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 1340 wrote to memory of 3004	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 1340 wrote to memory of 2640	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 1340 wrote to memory of 2640	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 1340 wrote to memory of 2640	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 1340 wrote to memory of 2564	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 1340 wrote to memory of 2564	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 1340 wrote to memory of 2564	1340	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 2640 wrote to memory of 2488	2640	Setup.exe	svchost.exe
PID 2640 wrote to memory of 2488	2640	Setup.exe	svchost.exe
PID 2640 wrote to memory of 2488	2640	Setup.exe	svchost.exe
PID 2564 wrote to memory of 112	2564	check .exe	check .exe
PID 2564 wrote to memory of 112	2564	check .exe	check .exe
PID 2564 wrote to memory of 112	2564	check .exe	check .exe
PID 2488 wrote to memory of 3052	2488	svchost.exe	explorer.exe
PID 2488 wrote to memory of 3052	2488	svchost.exe	explorer.exe
PID 2488 wrote to memory of 3052	2488	svchost.exe	explorer.exe
PID 3052 wrote to memory of 3048	3052	explorer.exe	explorer.exe
PID 3052 wrote to memory of 3048	3052	explorer.exe	explorer.exe
PID 3052 wrote to memory of 3048	3052	explorer.exe	explorer.exe
PID 3048 wrote to memory of 2368	3048	explorer.exe	netsh.exe
PID 3048 wrote to memory of 2368	3048	explorer.exe	netsh.exe
PID 3048 wrote to memory of 2368	3048	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
"C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\system32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2368
- C:\Users\Admin\AppData\Local\Temp\check .exe
  "C:\Users\Admin\AppData\Local\Temp\check .exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\check .exe
    "C:\Users\Admin\AppData\Local\Temp\check .exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
375KB

MD5
8e4f8329f0837d6a3801dd96973a05fe

SHA1
7309226e370a33000c08653504f2ac5786944b2b

SHA256
0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

SHA512
9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25642\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\check .exe

Filesize
8.6MB

MD5
d74eb99109dc495ab735264ba68edb06

SHA1
a7b5b1471c2e8f46d3e3d5340435d8a148fd285d

SHA256
26789e493fb9cc881d40e0eed7609fd390eb76196c91c4fc7be9ac7cbb11b41a

SHA512
b715d226c70edfa5b413e7989a0f56ee4c5765b16f273f04bdfd6afb11fd1ba02638aa08d5f47e340eabab0397a3f300618cbcb2d49a921734b3bcfd09e0f643

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
163KB

MD5
c833287873afe73c333638e4d187c666

SHA1
4aa5686878ed71c4d27996449854e63107165b98

SHA256
a9a387bafca70c8bce39473ee63df9fb439d15ba83b6b26e84f91fc920c1f39f

SHA512
a949d0d6143405f3bb98589e67856a5971a8b23d35536b13ad3aae4b51c53de256315d8deaf609f49e8fe9ccf39e59e95b0cecef2619d5d08f3059a9254ae006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
252KB

MD5
e5d01a5a8cc5c5ca9a5329459814c91a

SHA1
00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

SHA256
612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

SHA512
2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

Download Submit
memory/1340-56-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/1340-0-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

Filesize
4KB

Download
memory/1340-2-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/1340-1-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-19-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-33-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-13-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-46-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3052-90-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads