njrat | 7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539.exe
Size

25KB
MD5

fe8b74facf33c3cb9c2399d0e32b6e90
SHA1

d877d8201468404dfa5e286e0fcc6b3d535886f1
SHA256

7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539
SHA512

3a679ff30e786f86ef9f6b1912a8358c2710b54fece7d1af7425095ee3ebd7726cb64c0caf7a289cb302c65523229a9be21ff8ce8e51c8d3a40deb8813090189
SSDEEP

768:5vkVCd2emvs+uWoT60lkcDjRfoXMxGfihbo:yEEDvsDWaKIjFoXKQiC

Score

10^/10

njrat topher discovery trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

topher

mehmet741.duckdsn.org:81

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2104	7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539.exe
2792	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	AcroRd32.exe
2792	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2648	2104	7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539.exe	30
PID 2104 wrote to memory of 2648	2104	7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539.exe	30
PID 2104 wrote to memory of 2648	2104	7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539.exe	30
PID 2648 wrote to memory of 2792	2648	rundll32.exe	31
PID 2648 wrote to memory of 2792	2648	rundll32.exe	31
PID 2648 wrote to memory of 2792	2648	rundll32.exe	31
PID 2648 wrote to memory of 2792	2648	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539.exe
"C:\Users\Admin\AppData\Local\Temp\7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Services
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Services"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
500a7c0eaa6391ce102351b15acde62d

SHA1
64259258538e4e28325c3f719d970b756cb63e36

SHA256
23eca9f2b7deb8e6c821d6efeda726916de8ca79ea4594689e293b80059168ac

SHA512
a091cfcf2b962f4f37d156c56fb482c748db9a93a51f6c265d6950464098e4f4d6255c38747c98ff398f202d12747226bb24b47caca99d0e178b5fed54671531

Download Submit
C:\Users\Admin\AppData\Roaming\Services

Filesize
25KB

MD5
fe8b74facf33c3cb9c2399d0e32b6e90

SHA1
d877d8201468404dfa5e286e0fcc6b3d535886f1

SHA256
7f90d1d2465e6b3c69236275c96662690ccc5eef0d4b4ed2dd90bdf298cc7539

SHA512
3a679ff30e786f86ef9f6b1912a8358c2710b54fece7d1af7425095ee3ebd7726cb64c0caf7a289cb302c65523229a9be21ff8ce8e51c8d3a40deb8813090189

Download Submit
memory/2104-0-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/2104-2-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-3-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-6-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download