njrat | 7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

Resubmissions

20-09-2024 07:43

240920-jkdj5avhqa 10

16-09-2024 13:49

240916-q4rz7a1apg 10

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.exe
Size

23KB
MD5

f2e6febd5ac77954b3c8f460d5fa2598
SHA1

7d7cffc86d330242f7f966d24dfd0605e2d21a23
SHA256

0eb3ab9e4c6bc5903674d8f9b36a1a59825fa4e1c2d7209be4d7a0c16dc6168f
SHA512

68c92f47c337904aa58b3c64a0d3513e005e48bb0b9b0cd90b30cb2c31be6b54e1ba3a961af7f3370cc6fbb38ea66bde91d509988023f5d0912420fa6800b135
SSDEEP

384:xMsmCsg/EJHOzt+Z7SS1BEd1ng6Jgf24tfZVmRvR6JZlbw8hqIusZzZF/:trEi01jyRpcnuS

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

HacKed

127.0.0.1:5552

Mutex

984559f52d4087243e95e5ad9bb48e8d

Attributes

reg_key
984559f52d4087243e95e5ad9bb48e8d
splitter
boolLove

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\984559f52d4087243e95e5ad9bb48e8d.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\984559f52d4087243e95e5ad9bb48e8d.exe	server.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

2860 server.exe
Loads dropped DLL 1 IoCs

Processes:

HEUR-Backdoor.MSIL.Agent.exe

pid process

2680 HEUR-Backdoor.MSIL.Agent.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2860	server.exe

pid	process
2680	HEUR-Backdoor.MSIL.Agent.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HEUR-Backdoor.MSIL.Agent.exeserver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Backdoor.MSIL.Agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe
Token: 33	2860	server.exe
Token: SeIncBasePriorityPrivilege	2860	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

HEUR-Backdoor.MSIL.Agent.exe

description	pid	process	target process
PID 2680 wrote to memory of 2860	2680	HEUR-Backdoor.MSIL.Agent.exe	server.exe
PID 2680 wrote to memory of 2860	2680	HEUR-Backdoor.MSIL.Agent.exe	server.exe
PID 2680 wrote to memory of 2860	2680	HEUR-Backdoor.MSIL.Agent.exe	server.exe
PID 2680 wrote to memory of 2860	2680	HEUR-Backdoor.MSIL.Agent.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Agent.exe
"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Agent.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
f2e6febd5ac77954b3c8f460d5fa2598

SHA1
7d7cffc86d330242f7f966d24dfd0605e2d21a23

SHA256
0eb3ab9e4c6bc5903674d8f9b36a1a59825fa4e1c2d7209be4d7a0c16dc6168f

SHA512
68c92f47c337904aa58b3c64a0d3513e005e48bb0b9b0cd90b30cb2c31be6b54e1ba3a961af7f3370cc6fbb38ea66bde91d509988023f5d0912420fa6800b135

Download Submit
memory/2680-0-0x00000000742B1000-0x00000000742B2000-memory.dmp

Filesize
4KB

Download
memory/2680-1-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-2-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-11-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-12-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-10-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-14-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download