njrat | d33937a6d70570f745c73a0a8081124cdd6905027fffdc434e668e2e3441bb71

General

Target

pen.exe
Size

448KB
MD5

92f0e23bae710d6a01fdd0fc4182b403
SHA1

6d5c588fa083d42089d1fd7f0a7a58afeeb40db4
SHA256

d33937a6d70570f745c73a0a8081124cdd6905027fffdc434e668e2e3441bb71
SHA512

bd449da740b97d4d542108be81fb6ca0bac92e4047205eb77c14d83822e4655b03b02a11fdee803c19fc5e722dd9c45824bb35f0f60397ad43eb2e2757e39eca
SSDEEP

6144:F61E/QSnxoEMTlXEulocTUtVMzVtoEJUU/rhg3sjPWHwNsJLtBU/:F6ErxJMTtEulPUfMzVWU/NZAtY

Score

10^/10

njrat lk discovery trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

lk

C2

main-peers.at.ply.gg:14391

Mutex

10dbba546f79cfd65d5be18f9b8967bc

Attributes

reg_key
10dbba546f79cfd65d5be18f9b8967bc
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	pen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 4 IoCs

pid	Process
2360	1.exe
1228	2.exe
4024	1.exe
948	browser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	browser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3336	2672	pen.exe	87
PID 2672 wrote to memory of 3336	2672	pen.exe	87
PID 2672 wrote to memory of 3336	2672	pen.exe	87
PID 3336 wrote to memory of 2360	3336	cmd.exe	90
PID 3336 wrote to memory of 2360	3336	cmd.exe	90
PID 3336 wrote to memory of 2360	3336	cmd.exe	90
PID 3336 wrote to memory of 1228	3336	cmd.exe	91
PID 3336 wrote to memory of 1228	3336	cmd.exe	91
PID 3336 wrote to memory of 1228	3336	cmd.exe	91
PID 1228 wrote to memory of 4024	1228	2.exe	92
PID 1228 wrote to memory of 4024	1228	2.exe	92
PID 1228 wrote to memory of 4024	1228	2.exe	92
PID 2360 wrote to memory of 948	2360	1.exe	97
PID 2360 wrote to memory of 948	2360	1.exe	97
PID 2360 wrote to memory of 948	2360	1.exe	97

C:\Users\Admin\AppData\Local\Temp\pen.exe
"C:\Users\Admin\AppData\Local\Temp\pen.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
    1.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\browser.exe
      "C:\Users\Admin\AppData\Local\Temp\browser.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:948
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
    2.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

Filesize
37KB

MD5
e8d24f4753714f133efc09bf7897f2fc

SHA1
fda1916af29b7ae099fa4d0616720a6ee149d128

SHA256
032cdbc99e1215fb5b23ff4aa322e21dafd32fd36f1147c5bb3880693b02e550

SHA512
1ced1dfbc46c5753d98494909ded141ff9663387b6cfb4b04140877b39482e35b944a8443369c6a923f6509e452789391aafbcc8320491b521cc04f0e81bd286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
269KB

MD5
65d8371855f976d363affe190748a946

SHA1
a2d1a74c1bb7cc8d1bbba454d670fafa68b958f9

SHA256
dc58cc5cc32ed27b22fbf867d721523d072d760f271a0992eefa7280c72b0fd8

SHA512
8171b63a8a9c7321bab844d75218c145ba3bf73e56d73883557f2cf6f4a39717d81bc1f5e8cb22bc2f467164a5fa31e5b45d41a25b272bd40aaae87f45fa40ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
35B

MD5
30543ad8237e79cf93f3010a14616dd1

SHA1
e40e6dbc0f935d9704dde8d62273896d3f3ca531

SHA256
9031146fd624a3d48e86c1c09376e14b28a257c29acb32fac0724b5a961f4fc5

SHA512
98db52136d761a32538d2a42154962cc650177d09bcde4918c0bfc3102890bb26232aaa79a20a3ef3fbc2bb1b139afa0ec79f9cbb7da0ca70beaef7e4cd29453

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.exe

Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\xui2.cur

Filesize
4KB

MD5
c1fd2feb9e2b56be00082dd06c2b9658

SHA1
6e9272d5d53272f901ebb75ea556e250d4fc54aa

SHA256
de7c8bd93cc576d719805835099ae0f2cb88d797fe71585e2f7eb56b67a8fb72

SHA512
7530ad40f0adc93d5166b2b4741ba66bc5792ca1882be658b86b290feaa3ccf08f15ef0d55cc40494c6f3fedb78ecc5dab2a5342e0bdc85a068a3a0ffdc6e79a

Download Submit
memory/2360-15-0x00000000733C2000-0x00000000733C3000-memory.dmp

Filesize
4KB

Download
memory/2360-16-0x00000000733C0000-0x0000000073971000-memory.dmp

Filesize
5.7MB

Download
memory/2360-21-0x00000000733C0000-0x0000000073971000-memory.dmp

Filesize
5.7MB

Download
memory/2360-44-0x00000000733C0000-0x0000000073971000-memory.dmp

Filesize
5.7MB

Download
memory/4024-32-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing