Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://e.pcloud.lin...

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    55s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-09-2024 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://e.pcloud.link/publink/show?code=XZjnaPZ3z836WvLHFYjz6QYckVa24NrS6GV

Score
10/10
njrathackedcredential_accessdefense_evasiondiscoverypersistencestealertrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:14474

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    |Ghost|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://e.pcloud.link/publink/show?code=XZjnaPZ3z836WvLHFYjz6QYckVa24NrS6GV"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://e.pcloud.link/publink/show?code=XZjnaPZ3z836WvLHFYjz6QYckVa24NrS6GV
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.0.57498833\2057432725" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1472 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9e85ce-7f8f-489e-962e-4647bb316919} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 1780 2e14e4d8e58 gpu
        3⤵
          PID:192
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.1.1965183073\1818082" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f665f63-0aa8-4519-ba0b-48d5918e192d} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 2156 2e14e3fb358 socket
          3⤵
            PID:3920
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.2.367221570\567834198" -childID 1 -isForBrowser -prefsHandle 2660 -prefMapHandle 2888 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f3a2554-10bd-4911-8b33-0d890dacc23c} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 2904 2e14e457758 tab
            3⤵
              PID:4500
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.3.1850124320\1142151366" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fd20cd9-90b7-4b5a-b1e4-09dcd33e7895} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 3604 2e152e8f058 tab
              3⤵
                PID:5000
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.4.2090741030\1142966866" -childID 3 -isForBrowser -prefsHandle 4032 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c3bd8f6-4df9-4380-95da-f465982cd77c} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 4820 2e155b96258 tab
                3⤵
                  PID:4432
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.5.223126034\1099821209" -childID 4 -isForBrowser -prefsHandle 5008 -prefMapHandle 5012 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0455ecb6-0e1e-42ae-8cf6-b73712088581} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 4996 2e155c1ab58 tab
                  3⤵
                    PID:392
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.6.1420080925\1775324760" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc3b0d33-d7bf-4460-8bf6-98c80908ba3e} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 5192 2e1567cce58 tab
                    3⤵
                      PID:4952
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.7.824440526\744793708" -parentBuildID 20221007134813 -prefsHandle 4788 -prefMapHandle 5040 -prefsLen 26249 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf60cbfd-a998-44bf-9453-7824645e74f9} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 5272 2e1567caa58 rdd
                      3⤵
                        PID:4960
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1260.8.425824639\484084058" -childID 6 -isForBrowser -prefsHandle 6008 -prefMapHandle 6024 -prefsLen 26464 -prefMapSize 233444 -jsInitHandle 1268 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58a1a970-4e1e-4680-91ca-fb1015f42963} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" 6032 2e157890358 tab
                        3⤵
                          PID:4788
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:3064
                      • C:\Users\Admin\Downloads\Nursultan crack.exe
                        "C:\Users\Admin\Downloads\Nursultan crack.exe"
                        1⤵
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4112

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                        Filesize

                        2KB

                        MD5

                        34a811fbecb3bdfeb48437d59c0c4555

                        SHA1

                        8aaea2b104f4591e285fbd666f447f47f8797a2b

                        SHA256

                        8bc8d026ca533937d726a32cc804295be70c96cace6f35e3e7f35dc0e2a40e4a

                        SHA512

                        4301c101af80827b38334a809bb3bb090082f11c52ac09988a2256891618c19740d02520aa50e98cfb31e3f6b9c7f663d008d49f2c24109772022595449f9e8d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\33a597c8-6991-4dbb-a5b5-892437b72b0a
                        Filesize

                        9KB

                        MD5

                        e4d260f15c408ac92a11969e99dd6ba8

                        SHA1

                        3479ac80923e72351cac5b739f42d513964c8be5

                        SHA256

                        83d9d8e27aba3a5657da529e55975facd9783adbd4e2fe15379021e0fb0e99ea

                        SHA512

                        9bed857393f36375ab7170a262758c158eeb4a50535df3b6ca217916070c049fa541abbaba70f65df298a1370983f41ab0086731356bacba5eed1f7a74a535de

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\47dca710-9d6d-490c-8d16-eab5ad29adf9
                        Filesize

                        746B

                        MD5

                        2090676530393c8d528b9446f1190098

                        SHA1

                        164b10ba888f44498658e9e97f5598137d0e6b2f

                        SHA256

                        45479c8cfaeb2dbe6fbc07d23cd7f303fefd253518ff45ade5ade8c6ff91348a

                        SHA512

                        6047220d0a592aaa6e6d6f29668aeb9410dc56f71f70946867eeaeea5ec848ad69335701868055a8dd4666f7546df42eb0c154a2160e0a1b0cb50fa1c0146f06

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        9d6ae749fd163b28b7656940ec22ed60

                        SHA1

                        b30ebd4d48f63459848c53abc8561a80b2276f12

                        SHA256

                        1cfec0119269e90440620133d96f5ba98c855c1a96560f4c2f9fc907412df557

                        SHA512

                        113de967664691e8e530808bcd2106cc84a437af55736878e1d032c86198b0ffb949ea2b1257e7d91666b83b8217847ade4b4d5c0bc29405c91ec2c145f85211

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        966c16f56e922efc2a3325960398a139

                        SHA1

                        c906cb1693b66eb8e949615a62fef7d38b077810

                        SHA256

                        ba40265345cae1c8d8aa47eadfb79d249640e037b1b215676ba15ee44bd71510

                        SHA512

                        b5c5fb384219d34a6b088c2414eb7bbfb38201c063e5b85ec590da033b5f7f7944ef125de897c9bf9dc4c80f41dd19583f356b690800389f0606e4902f651e26

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        826c5b23f3334b5970906460e11272a6

                        SHA1

                        3b7f408899592890910feecefafe7691595fc1a5

                        SHA256

                        ca1c4a1edf8630f6a9020efd915c3a8368313e9d4a6f0eb6026511334c2229f8

                        SHA512

                        91fe25396d1d6c68e19c86734447423fafaf129148f2e929a93c3c822dcac4084c09e8d2fcf0d5cf516af4ae0daa55279ab12ae6f240b7b152d948935a0f2f53

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        988B

                        MD5

                        e41affb8cdb7a7daae063ad4b9fd0731

                        SHA1

                        e573e955d2a7195033ba2a245e382cb888ee2e10

                        SHA256

                        f13f3dd4e264e937758a719065817dfc877968cc3e732a1a02ddef93d8a66962

                        SHA512

                        64dd22ab840b3149cfd40da536a8ecaa6edbcf8b4cfe52a8ad69a93c18758408022959febdd20c9353b7181640c5ee40f93ebcb71ebd35b7d4394c7e2db1b16a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        88b442afa529d40354e11762f67dbc37

                        SHA1

                        0d76aa071bbceaf73a39330e83595bcfae07aef4

                        SHA256

                        9224ac159c05ceac0e9ce601ad93feeece206ff92391dd8fa61bb5cd3c678229

                        SHA512

                        df6fa4edf9c621a20cd37b2f8816c59cc72352fceb563804e3a3cbeaff6fe267d503bdccb13e766eea8a6d997593b2d543f96084e56f91fca0411c534e209100

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        e50d7988711a1c25e8c278cb882b1bd0

                        SHA1

                        a289c4bbadf14b93173790b6aca908c6ef6f9a39

                        SHA256

                        3e2415d12a1fb8be7e29b793d70f695720419bb8f9671de18aa9b03b7c65a574

                        SHA512

                        5199d73352905b5c86be4c1c069b8fb8045c0dba5d34437e037d222634123ae9988c76dae8ddfaa4f0ea0f700ea8dc661abd95bfec73228a7a6295216527db6b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                        Filesize

                        184KB

                        MD5

                        f72c2c8a738f1bdd4a5e24326ff248df

                        SHA1

                        d60277881f6b36509d709948fcf7ed3ec3da74a6

                        SHA256

                        06575a0a693c9e0f265fcf03ee5b6ced4dd922ac999f5d767a9a7d92fb199082

                        SHA512

                        7fa2cc3e4f6e6f9c77fc12e188a0ef4e5dfd9079e1ddd2d689669513bd2e512136ac4485b34aa0ed8587c8cd519572d31eb2496b4091e229b6c339bf25c27d6a

                        Download Submit

                      • C:\Users\Admin\Downloads\Nursultan crack.cw-_LDmp.exe.part
                        Filesize

                        20KB

                        MD5

                        ac96b486f4b0be0fe2e73e696f402fd2

                        SHA1

                        b91f96c7cb7ea20d367fe69d7aff1274f9846bf1

                        SHA256

                        573c8eddc9ff1b86908d2503fa81efeb6f89ef1533c8e4453c5c868a99b96499

                        SHA512

                        ceccc30e43e1aa204e0545825c2d9a839a7c50e77121944c7324e29fce6b378c6bd0e56781a0c198a6125f680eb085b6154c6ae6e595c87a9f04c883619fa79b

                        Download Submit

                      • C:\Users\Admin\Downloads\Nursultan crack.exe
                        Filesize

                        65KB

                        MD5

                        f1bc446c012d915bdb9b74ba9b7163b4

                        SHA1

                        d3d4d997100d94746814d4b03f442de458eb71ca

                        SHA256

                        7c844cea445fb1141eb79320911b31bb2b29063cbbf3175e3df004c8962fb289

                        SHA512

                        70db70facaff31488243473b313dc540fe5eaba03fa7e123fdc86f6d52ca8bdad13fb73dde776cc75be333105f8bee074e833d1338d066526e802bfa99574d9a

                        Download Submit

                      • memory/4112-228-0x0000000073EF1000-0x0000000073EF2000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4112-229-0x0000000073EF0000-0x00000000744A0000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/4112-230-0x0000000073EF0000-0x00000000744A0000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/4112-239-0x0000000073EF0000-0x00000000744A0000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/4112-240-0x0000000073EF0000-0x00000000744A0000-memory.dmp

                        Filesize

                        5.7MB

                        Download