njrat | f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0

General

Target

f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe
Size

32KB
MD5

a8f6fa7a488944a8e0362dfb6f18988b
SHA1

8e4725c2233d74834756d1a42448748327b9ecee
SHA256

f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0
SHA512

51c0af1a62741019fe0f11656dfbcc00b8b3adb1b6df06cc7f9bac1fe90a6b9a345bfefe2b5f818189b84a22f79eefb8838a2eb732019419eb2b063ba0418d66
SSDEEP

384:9/it2wUQCG+JexvsiOrhAh9kLAZFPI+uT00olDModg9TdFpyFEIGsJjwE7UMcri3:QiGtUrrhAAA/iouDbEEIGfR6+f

Score

10^/10

njrat hacked by hidden person discovery trojan

Malware Config

Extracted

Family

njrat

Botnet

Hacked By HiDDen PerSOn

Mutex

4cae72edef05515628e131732c15c61e

Attributes

reg_key
4cae72edef05515628e131732c15c61e

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2756	AcroRd32.exe
2756	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2888	2860	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe	30
PID 2860 wrote to memory of 2888	2860	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe	30
PID 2860 wrote to memory of 2888	2860	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe	30
PID 2860 wrote to memory of 2888	2860	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe	30
PID 2860 wrote to memory of 2888	2860	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe	30
PID 2860 wrote to memory of 2888	2860	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe	30
PID 2860 wrote to memory of 2888	2860	f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe	30
PID 2888 wrote to memory of 2756	2888	rundll32.exe	31
PID 2888 wrote to memory of 2756	2888	rundll32.exe	31
PID 2888 wrote to memory of 2756	2888	rundll32.exe	31
PID 2888 wrote to memory of 2756	2888	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe
"C:\Users\Admin\AppData\Local\Temp\f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\testyoung
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\testyoung"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\testyoung

Filesize
32KB

MD5
a8f6fa7a488944a8e0362dfb6f18988b

SHA1
8e4725c2233d74834756d1a42448748327b9ecee

SHA256
f01befb0270c212d3f5c8d4501e19c544aa57010bd30bbf1d9817789ef7d83d0

SHA512
51c0af1a62741019fe0f11656dfbcc00b8b3adb1b6df06cc7f9bac1fe90a6b9a345bfefe2b5f818189b84a22f79eefb8838a2eb732019419eb2b063ba0418d66

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f1006e6cccb93026046c637b68f73d66

SHA1
da389ac437fdf5cd5ccd668b3f8aa0b7454ad1a8

SHA256
26a34a080959f90126eb900a351fffe220e1e130372f7ca039dc0036b5f3e2a8

SHA512
90babc7c10e4cd6b2629705c1401435685f80393eece7d2ce9d69761fd97171de0ba7e678d37f2c42162512b03c31554fa71d00c45cf7565669048c16e669722

Download Submit
memory/2860-0-0x0000000074241000-0x0000000074242000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-2-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-5-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing