njrat | 43182b7bf6f7d1c9e18f1c3f9dd916986d6adb81928ee0b2e57d6572d22bca4a

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.26.exe
Size

863KB
MD5

cc3f2a1f63f68e4014bc3b8a0d3ddf7c
SHA1

82eb314b035f073332a7a4a9a10449513ccc1d03
SHA256

43182b7bf6f7d1c9e18f1c3f9dd916986d6adb81928ee0b2e57d6572d22bca4a
SHA512

6f6839fb986475b0b8d95132a5588c9d0f956e8b9cc1d894fc755cc8d365a11daba321a05aac1db295586a4d3a2b290c7ea80446948c57c4af0d33f21dd5f2da
SSDEEP

12288:TATougEx9nCvJ4f05oOGoGH/j0MNVcfzJXcBPXBNr8L5h:k0NY9CvzoVoGH/j0ucrJXOu

Score

10^/10

njrat 31 discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

txx8luo.localto.net:3989

Mutex

0f4f57f0b5499edfd1915b0e98cfe851

Attributes

reg_key
0f4f57f0b5499edfd1915b0e98cfe851
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f4f57f0b5499edfd1915b0e98cfe851.exe	13131312.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f4f57f0b5499edfd1915b0e98cfe851.exe	13131312.exe

Executes dropped EXE 3 IoCs

pid	Process
2244	13131312.exe
2540	BootstrapperV1.21.exe
1108	e1a069313b064e128ecd39e62af7cf8f.exe

Loads dropped DLL 8 IoCs

pid	Process
2236	BootstrapperV1.26.exe
2236	BootstrapperV1.26.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2244	13131312.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\0f4f57f0b5499edfd1915b0e98cfe851 = "\"C:\\Users\\Admin\\AppData\\Roaming\\13131312.exe\" .."	13131312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0f4f57f0b5499edfd1915b0e98cfe851 = "\"C:\\Users\\Admin\\AppData\\Roaming\\13131312.exe\" .."	13131312.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13131312.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	BootstrapperV1.21.exe
Token: SeDebugPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe
Token: 33	2244	13131312.exe
Token: SeIncBasePriorityPrivilege	2244	13131312.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2244	13131312.exe
2244	13131312.exe
2244	13131312.exe
2244	13131312.exe
2244	13131312.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2244	2236	BootstrapperV1.26.exe	31
PID 2236 wrote to memory of 2244	2236	BootstrapperV1.26.exe	31
PID 2236 wrote to memory of 2244	2236	BootstrapperV1.26.exe	31
PID 2236 wrote to memory of 2244	2236	BootstrapperV1.26.exe	31
PID 2236 wrote to memory of 2540	2236	BootstrapperV1.26.exe	32
PID 2236 wrote to memory of 2540	2236	BootstrapperV1.26.exe	32
PID 2236 wrote to memory of 2540	2236	BootstrapperV1.26.exe	32
PID 2236 wrote to memory of 2540	2236	BootstrapperV1.26.exe	32
PID 2540 wrote to memory of 2304	2540	BootstrapperV1.21.exe	34
PID 2540 wrote to memory of 2304	2540	BootstrapperV1.21.exe	34
PID 2540 wrote to memory of 2304	2540	BootstrapperV1.21.exe	34
PID 2244 wrote to memory of 1108	2244	13131312.exe	36
PID 2244 wrote to memory of 1108	2244	13131312.exe	36
PID 2244 wrote to memory of 1108	2244	13131312.exe	36
PID 2244 wrote to memory of 1108	2244	13131312.exe	36

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.26.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.26.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\13131312.exe
  "C:\Users\Admin\AppData\Roaming\13131312.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\e1a069313b064e128ecd39e62af7cf8f.exe
    "C:\Users\Admin\AppData\Local\Temp\e1a069313b064e128ecd39e62af7cf8f.exe"
    3⤵
    - Executes dropped EXE
    PID:1108
- C:\Users\Admin\AppData\Roaming\BootstrapperV1.21.exe
  "C:\Users\Admin\AppData\Roaming\BootstrapperV1.21.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2540 -s 1068
    3⤵
    - Loads dropped DLL
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\e1a069313b064e128ecd39e62af7cf8f.exe

Filesize
961KB

MD5
4723c3c04794c09bbcb6e03f48440f15

SHA1
a5ef69c9dc9eacc2099d9c239146a0e360f1837f

SHA256
0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

SHA512
5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

Download Submit
\Users\Admin\AppData\Roaming\13131312.exe

Filesize
55KB

MD5
7f885e0b86bfd37c17867214b74c600a

SHA1
476e1749121846a34eff66c2714d01ff3cf18593

SHA256
0e598feb9643475cd6209f510b9bdd33080188752734f5e8403aa5e946f6b841

SHA512
00799f581f42173a2e10e9fdd4f8ba83922bbe8b8e264539405a78eef146c3c8f8f09ac2fdbb6380d2574232b749e902469bbdc62af89d62d4416de506f75499

Download Submit
\Users\Admin\AppData\Roaming\BootstrapperV1.21.exe

Filesize
797KB

MD5
c5dfc6db9d57d21fc1fd18afff38cab0

SHA1
2c0ad08b90c699539702899db5860c1e1e1a8d80

SHA256
163c5a7bdc1038959e103011dcf454bc009c5b0c0ad3cac60bbb4f2a4a19444f

SHA512
0369f636cc83d5841549a06ed1ca06b74859a26ef7ebc35ed9f26c281682e10804fcdaf3dfc47049b4aea01694cc11014d2e2c6435b0abc757a5472c548dd68e

Download Submit
memory/2236-18-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2236-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2236-2-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2236-0-0x00000000744A1000-0x00000000744A2000-memory.dmp

Filesize
4KB

Download
memory/2244-14-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-16-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-27-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-28-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-17-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-20-0x0000000000210000-0x00000000002DE000-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads