njrat | d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2b

General

Target

d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe
Size

5.2MB
MD5

b36ef0f4c7880832bb03508c6421efe0
SHA1

71d4534d1edf6a74369bb8abdbccd254255d5391
SHA256

d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2b
SHA512

c7dee9a9d2b51be81008182caa1f2f70f23b5c1ed4c815e44d6616bf58b44a5374699c650ac4711ffdd89a00bb766a5c3ddb1a464c74913bc504cb883f3a979d
SSDEEP

98304:JjhbDRAMazoYl0nxkUki2O/loAxf0Rd1izDicr2HTW5IpH0BzY:JjxDRAMoo20nxkUki2Eljx0RdM6cr2z3

Score

10^/10

njrat victim discovery trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

f2hd.ddns.net:1177

Mutex

246b94c19bcd8b952f3ab6574fa052da

Attributes

reg_key
246b94c19bcd8b952f3ab6574fa052da
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
2376	Payload.exe
1372	XWormLoader.exe

Loads dropped DLL 19 IoCs

pid	Process
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
1372	XWormLoader.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2156	1372	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe
Token: 33	2376	Payload.exe
Token: SeIncBasePriorityPrivilege	2376	Payload.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2376	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	30
PID 1704 wrote to memory of 2376	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	30
PID 1704 wrote to memory of 2376	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	30
PID 1704 wrote to memory of 2376	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	30
PID 1704 wrote to memory of 1372	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	31
PID 1704 wrote to memory of 1372	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	31
PID 1704 wrote to memory of 1372	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	31
PID 1704 wrote to memory of 1372	1704	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	31
PID 1372 wrote to memory of 2156	1372	XWormLoader.exe	33
PID 1372 wrote to memory of 2156	1372	XWormLoader.exe	33
PID 1372 wrote to memory of 2156	1372	XWormLoader.exe	33
PID 1372 wrote to memory of 2156	1372	XWormLoader.exe	33

C:\Users\Admin\AppData\Local\Temp\d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe
"C:\Users\Admin\AppData\Local\Temp\d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 712
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
55KB

MD5
e595ad9e8bacf2d7b0d91ab5117cd35c

SHA1
c7a9ab7cf7d3cbed1808ce608cd4a949e7114778

SHA256
db11890b5a06a9856e04a0556be9711cefc49dad23328b51b94cf75fe8d26cd9

SHA512
e1eb45740c1fe871b4179b4450e18ecd381bc27eaa46da843e1cc5bdf46b4c58b1e5690a22539a287e2c0196dd572d662a4c3757c0751fa92fb3a62660452d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVGLib.dll

Filesize
241KB

MD5
5bbc659b819d1a39f1987136c7d8e014

SHA1
e6d9472deb956cff4b6d706ef475209ceb69d2cd

SHA256
45aa789e30b3239064645d2832e1cb70d132017817499ce73ceb0593a94bb4be

SHA512
5563a0dde515516f3c0cf231a8ad49e1c1c3081444b3159593ebec90d2fd20b0adde200184b0e4e30502ea3b9db3b04ac1f2a14c04bf10e81489f82173769f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

Filesize
101KB

MD5
39d81ca537ceb52632fbb2e975c3ee2f

SHA1
0a3814bd3ccea28b144983daab277d72313524e4

SHA256
76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7

SHA512
18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

Download Submit
memory/1372-44-0x0000000000AD0000-0x0000000000AF8000-memory.dmp

Filesize
160KB

Download
memory/1372-56-0x0000000004820000-0x0000000004876000-memory.dmp

Filesize
344KB

Download
memory/1372-39-0x0000000000660000-0x00000000006A2000-memory.dmp

Filesize
264KB

Download
memory/1372-63-0x00000000048D0000-0x00000000048EA000-memory.dmp

Filesize
104KB

Download
memory/1372-62-0x0000000004880000-0x00000000048BC000-memory.dmp

Filesize
240KB

Download
memory/1372-32-0x00000000012F0000-0x000000000130E000-memory.dmp

Filesize
120KB

Download
memory/1372-48-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/1372-58-0x0000000000D80000-0x0000000000D86000-memory.dmp

Filesize
24KB

Download
memory/1372-52-0x00000000011D0000-0x000000000122E000-memory.dmp

Filesize
376KB

Download
memory/1372-57-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/1704-10-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1704-1-0x0000000000FA0000-0x00000000014E0000-memory.dmp

Filesize
5.2MB

Download
memory/1704-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1704-71-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2376-40-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-19-0x00000000743B1000-0x00000000743B2000-memory.dmp

Filesize
4KB

Download
memory/2376-35-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-72-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-73-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing