njrat | 161ac2f439eae6165af8090e8b6a1ca2180e16038af766a9337eb668cf134cab

General

Target

RatClient.exe
Size

39KB
MD5

535183e6c2778357f5380a900e22a48e
SHA1

9a93b202f921fb8e8b477bf812befc5d74e2eab2
SHA256

161ac2f439eae6165af8090e8b6a1ca2180e16038af766a9337eb668cf134cab
SHA512

1b4aa4c83d89b112cbd813bc94bd1fa2bb99e76437d6b31f64fe5026d4a9ecc44125dcb6fecd417daa5a71869f774edafae81b96c65a93e538d11d04234ebb71
SSDEEP

768:wvhux8CPRPWROIfQpxybMGUOkKL2fA86TUg5WVTYdai6JuC:0O8CPNrI64opXZiUgo6EZb

Score

10^/10

njrat долбаеб persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

долбаеб

C2

127.0.0.1:6636

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RatClient.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	Client.exe

Executes dropped EXE 4 IoCs

pid	Process
2664	Client.exe
4912	Client.exe
220	Client.exe
1952	Client.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .."	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3840	schtasks.exe
1292	schtasks.exe
2672	schtasks.exe
3936	schtasks.exe
2592	schtasks.exe
4000	schtasks.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe
Token: 33	2664	Client.exe
Token: SeIncBasePriorityPrivilege	2664	Client.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2664	2244	RatClient.exe	92
PID 2244 wrote to memory of 2664	2244	RatClient.exe	92
PID 2664 wrote to memory of 1632	2664	Client.exe	95
PID 2664 wrote to memory of 1632	2664	Client.exe	95
PID 2664 wrote to memory of 3840	2664	Client.exe	97
PID 2664 wrote to memory of 3840	2664	Client.exe	97
PID 2664 wrote to memory of 2072	2664	Client.exe	102
PID 2664 wrote to memory of 2072	2664	Client.exe	102
PID 2664 wrote to memory of 1292	2664	Client.exe	104
PID 2664 wrote to memory of 1292	2664	Client.exe	104
PID 2664 wrote to memory of 4288	2664	Client.exe	107
PID 2664 wrote to memory of 4288	2664	Client.exe	107
PID 2664 wrote to memory of 2672	2664	Client.exe	109
PID 2664 wrote to memory of 2672	2664	Client.exe	109
PID 2664 wrote to memory of 3952	2664	Client.exe	112
PID 2664 wrote to memory of 3952	2664	Client.exe	112
PID 2664 wrote to memory of 3936	2664	Client.exe	114
PID 2664 wrote to memory of 3936	2664	Client.exe	114
PID 2664 wrote to memory of 3368	2664	Client.exe	116
PID 2664 wrote to memory of 3368	2664	Client.exe	116
PID 2664 wrote to memory of 2592	2664	Client.exe	118
PID 2664 wrote to memory of 2592	2664	Client.exe	118
PID 2664 wrote to memory of 4736	2664	Client.exe	120
PID 2664 wrote to memory of 4736	2664	Client.exe	120
PID 2664 wrote to memory of 4000	2664	Client.exe	122
PID 2664 wrote to memory of 4000	2664	Client.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RatClient.exe
"C:\Users\Admin\AppData\Local\Temp\RatClient.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\Client.exe
  "C:\Users\Admin\Client.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1632
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3840
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2072
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1292
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4288
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2672
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3952
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3936
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3368
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2592
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4736
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4000

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:220

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
a8a147915e3a996fdbe10b3a3f1e1bb2

SHA1
abc564c1be468d57e700913e7b6cf8f62d421263

SHA256
8b96a8557deea66696837af011843d6a82451ba57c8f9b5a2726a70818d6fc7e

SHA512
17b42f17ef60a9f625703172763f692e5ed2ca93564a97853dfa72bb0ac6305ef3267aea0b205938e3aa8eac10156d9d4f322b30d0329d92d647bcec6372731c

Download Submit
C:\Users\Admin\Client.exe

Filesize
39KB

MD5
535183e6c2778357f5380a900e22a48e

SHA1
9a93b202f921fb8e8b477bf812befc5d74e2eab2

SHA256
161ac2f439eae6165af8090e8b6a1ca2180e16038af766a9337eb668cf134cab

SHA512
1b4aa4c83d89b112cbd813bc94bd1fa2bb99e76437d6b31f64fe5026d4a9ecc44125dcb6fecd417daa5a71869f774edafae81b96c65a93e538d11d04234ebb71

Download Submit
memory/2244-0-0x00007FFFF8D43000-0x00007FFFF8D45000-memory.dmp

Filesize
8KB

Download
memory/2244-1-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/2244-2-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

Filesize
88KB

Download
memory/2664-21-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/2664-25-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/2664-26-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/2664-27-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads