njrat | 590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c

General

Target

2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe
Size

8.8MB
MD5

dc12c3ed6545883e412fd53aee9f9bc8
SHA1

745727e55ea35ef91fdae244f1d09f146309090c
SHA256

590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c
SHA512

eef34bca2e27e0e1ea61c12d82a85407a852b7ef236c4d6a91ec2e85a9be4a85219363759dbb2db23744c7772b9ccd0209977621a681f1345fa5754bfe30be4c
SSDEEP

196608:Ryz6ERB80Yd/m9r8IstNEcOq+OM2OYje:RI6ERBud/m9rmDOezj

Score

10^/10

njrat hacked discovery persistence themida trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

still-obviously.gl.at.ply.gg:46857

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	Payload.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/8-1-0x0000000000660000-0x0000000000F2A000-memory.dmp	themida
behavioral2/files/0x00070000000234c7-10.dat	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\Payload.exe"	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe
Token: 33	2064	Payload.exe
Token: SeIncBasePriorityPrivilege	2064	Payload.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 2064	8	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe	84
PID 8 wrote to memory of 2064	8	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe	84
PID 8 wrote to memory of 2064	8	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe	84
PID 8 wrote to memory of 2092	8	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe	85
PID 8 wrote to memory of 2092	8	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe	85
PID 8 wrote to memory of 2092	8	2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe	85
PID 2064 wrote to memory of 4608	2064	Payload.exe	92
PID 2064 wrote to memory of 4608	2064	Payload.exe	92
PID 2064 wrote to memory of 4608	2064	Payload.exe	92
PID 2064 wrote to memory of 5032	2064	Payload.exe	93
PID 2064 wrote to memory of 5032	2064	Payload.exe	93
PID 2064 wrote to memory of 5032	2064	Payload.exe	93

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5032	attrib.exe
2092	attrib.exe
4608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2792-29-0x00000000002A0000-0x0000000000B6A000-memory.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:8
- C:\ProgramData\Payload.exe
  "C:\ProgramData\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4608
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5032
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\ProgramData\Payload.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Payload.exe

Filesize
8.8MB

MD5
dc12c3ed6545883e412fd53aee9f9bc8

SHA1
745727e55ea35ef91fdae244f1d09f146309090c

SHA256
590383f4bc81eb472544475d3f93b43967d12d499a1bc46e031d7cd5001d348c

SHA512
eef34bca2e27e0e1ea61c12d82a85407a852b7ef236c4d6a91ec2e85a9be4a85219363759dbb2db23744c7772b9ccd0209977621a681f1345fa5754bfe30be4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
9f8aa8d72184c88280eba793825f8467

SHA1
bd4c4fd7959b7d69b847d2757ce349f6b0b79c6b

SHA256
c07f1fb16ddeb36694a50e400e6a8d30480fb93755cc9befc6d465fd2e961590

SHA512
acabb4a6667dea6b76a2c5556a31c844b8781f4cf51cb0a6cc46325912c0ec9cbb7b5be25724147156c093c17fb9124bdb92b9e1ec5865a749a529b3f3ac35c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
ede91f3d33a9a017174c0031e96007f0

SHA1
c52360c9fff6e5465022b934c3a74b3b211a0be6

SHA256
334ed85785265b6fbefd757b7db0b3751db8867bd37e9f16bf538e69ed6d685a

SHA512
2c52dd4127207527611419baadeea7ce290243575121c60c9670ee77c72a93dc1e0aa8c487c3bb2ee2ab1230f96821ecff799543849646ad3eded94afd632627

Download Submit
memory/8-1-0x0000000000660000-0x0000000000F2A000-memory.dmp

Filesize
8.8MB

Download
memory/8-2-0x0000000005950000-0x00000000059EC000-memory.dmp

Filesize
624KB

Download
memory/8-5-0x00000000067B0000-0x0000000006D54000-memory.dmp

Filesize
5.6MB

Download
memory/8-11-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/8-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2064-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-22-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-23-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-25-0x0000000006400000-0x0000000006492000-memory.dmp

Filesize
584KB

Download
memory/2064-26-0x00000000063F0000-0x00000000063FA000-memory.dmp

Filesize
40KB

Download
memory/2064-27-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads