njrat | 5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68

General

Target

5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe
Size

2.1MB
MD5

5a5ede5e571640b9f3445f51cc08f380
SHA1

a41f146946155f2b6a399be1a8fa56317d1c6978
SHA256

5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68
SHA512

df24b46813e2fbeb5d57949a6c7a0a47e49c27d88b9529a3117b2b5029b27d4930c8f48c4dd1d0403b9d01b1cfe43befdaa619e00d8db8ca72dd7e82efa5afd3
SSDEEP

49152:Pkwkn9IMHeaYhh3M3i4Njx4HfXCaP3YtcpQTXOKNBY/jc+f+0wqaPCS:cdnVkhr4Njx8fPAypEYffaRPC

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1372	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	342.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7aee97b745d234989703e0dbca0861b2.exe	superfetch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7aee97b745d234989703e0dbca0861b2.exe	superfetch.exe

Executes dropped EXE 3 IoCs

pid	Process
1400	5660.exe
3364	342.exe
436	superfetch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7aee97b745d234989703e0dbca0861b2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\superfetch.exe\" .."	superfetch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7aee97b745d234989703e0dbca0861b2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\superfetch.exe\" .."	superfetch.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023ca0-14.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	342.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	superfetch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe
Token: 33	436	superfetch.exe
Token: SeIncBasePriorityPrivilege	436	superfetch.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1400	1004	5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe	86
PID 1004 wrote to memory of 1400	1004	5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe	86
PID 1004 wrote to memory of 1400	1004	5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe	86
PID 1400 wrote to memory of 3364	1400	5660.exe	88
PID 1400 wrote to memory of 3364	1400	5660.exe	88
PID 1400 wrote to memory of 3364	1400	5660.exe	88
PID 3364 wrote to memory of 436	3364	342.exe	89
PID 3364 wrote to memory of 436	3364	342.exe	89
PID 3364 wrote to memory of 436	3364	342.exe	89
PID 436 wrote to memory of 1372	436	superfetch.exe	90
PID 436 wrote to memory of 1372	436	superfetch.exe	90
PID 436 wrote to memory of 1372	436	superfetch.exe	90

C:\Users\Admin\AppData\Local\Temp\5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe
"C:\Users\Admin\AppData\Local\Temp\5b865c8778d7a63764e8b674d325692ff11476d906772442ac9d4a37d1cd2b68N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\5660\5660.exe
  "C:\Users\Admin\AppData\Local\Temp\5660\5660.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\342\342.exe
    "C:\Users\Admin\AppData\Local\Temp\342\342.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Users\Admin\AppData\Roaming\superfetch.exe
      "C:\Users\Admin\AppData\Roaming\superfetch.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\superfetch.exe" "superfetch.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\342\342.exe

Filesize
40KB

MD5
be9dbd62d9f9d7f53cd7764190cde9b9

SHA1
7f6d669755b73c8c0be9435abe5bb9e781990c7c

SHA256
920140c94de8ab921b5d1bc6d3ccb7f04a6944a99a62ff7c7b19ba8b942f64a5

SHA512
7fce5ff25c30b78df56fc98bb450bbf9ce49ce87168f6fe44a4eb4a9cb349b5d3796a9ebb52c9b9e12a9c972d8a62b512d635f92881d41d963a5e42172354727

Download Submit
C:\Users\Admin\AppData\Local\Temp\5660\5660.exe

Filesize
899KB

MD5
1a4ebc6272e36dc43055dd6f076fe34a

SHA1
5f6333ec71ca8f06f7ba4d85f99314eee1915c8e

SHA256
6544da56d97914db734ec51cfe5b346b49b14fc8506f5fe5012b077d897ab0b1

SHA512
3159c00b346a8d3677ad7a2f0a5b479ba4f224bd6fe00919ea52a730db8ac9354a2786fde6103270feddbfb48cda1175cda833dd0721ea6234c71d253fc5316f

Download Submit
memory/3364-41-0x0000000072BD2000-0x0000000072BD3000-memory.dmp

Filesize
4KB

Download
memory/3364-42-0x0000000072BD0000-0x0000000073181000-memory.dmp

Filesize
5.7MB

Download
memory/3364-43-0x0000000072BD0000-0x0000000073181000-memory.dmp

Filesize
5.7MB

Download
memory/3364-56-0x0000000072BD0000-0x0000000073181000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads