Overview

overview

10

Static

static

10

3020-2-0x0...ry.exe

windows7-x64

10

3020-2-0x0...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 13:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3020-2-0x0000000000460000-0x0000000000472000-memory.exe

  • Size

    72KB

  • MD5

    5c763f2013aa6eec01710553a3956533

  • SHA1

    e8c6c171c05df73774a48056471705d9d9307191

  • SHA256

    4ad5f0107a2fbe081d769c1d166ae81c1089116bab59919c546de2212674ab91

  • SHA512

    0c290c60ee32b26082bff12881847333a01480861520450f1b18017f1aa75a830e2d6fd9d960ca427bee94c32bf99ece78d184ffc9ca16193cd039dbfeb70bd2

  • SSDEEP

    384:UZyHUJ1Cj8syWcWrfXE5GiXeEXME5EAftz8Iij+ZsNO3PlpJKkkjh/TzF7pWnK/N:i+UJ04pWcWrXE5ZVMEzXuXQ/oT3+L

Score
10/10
njrathackeddiscoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

encrypted7745.hopto.org:1177

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3020-2-0x0000000000460000-0x0000000000472000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\3020-2-0x0000000000460000-0x0000000000472000-memory.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:3492

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    encrypted7745.hopto.org
    3020-2-0x0000000000460000-0x0000000000472000-memory.exe
    Remote address:
    8.8.8.8:53
    Request
    encrypted7745.hopto.org
    IN A
    Response
    encrypted7745.hopto.org
    IN A
    85.113.101.120
  • flag-us
    DNS
    120.101.113.85.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    120.101.113.85.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    120.101.113.85.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    120.101.113.85.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    120.101.113.85.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    120.101.113.85.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    27.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    27.117.19.2.in-addr.arpa
    IN PTR
    Response
    27.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-27deploystaticakamaitechnologiescom
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 85.113.101.120:1177
    encrypted7745.hopto.org
    3020-2-0x0000000000460000-0x0000000000472000-memory.exe
    997 B
     788 B
     13
    19
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    encrypted7745.hopto.org
    dns
    3020-2-0x0000000000460000-0x0000000000472000-memory.exe
    69 B
     85 B
     1
    1

    DNS Request

    encrypted7745.hopto.org

    DNS Response

    85.113.101.120

  • 8.8.8.8:53
    120.101.113.85.in-addr.arpa
    dns
    219 B
     219 B
     3
    3

    DNS Request

    120.101.113.85.in-addr.arpa

    DNS Request

    120.101.113.85.in-addr.arpa

    DNS Request

    120.101.113.85.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    27.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    27.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3492-0-0x000000007528E000-0x000000007528F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-1-0x0000000000B70000-0x0000000000B82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3492-2-0x0000000005540000-0x00000000055DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3492-3-0x0000000005E20000-0x00000000063C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3492-5-0x0000000005960000-0x00000000059F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3492-4-0x0000000075280000-0x0000000075A30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3492-7-0x0000000005940000-0x000000000594A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3492-8-0x0000000005BA0000-0x0000000005C06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3492-9-0x00000000069D0000-0x00000000069E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3492-10-0x000000007528E000-0x000000007528F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-11-0x0000000075280000-0x0000000075A30000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.