njrat | d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2b

General

Target

d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe
Size

5.2MB
MD5

b36ef0f4c7880832bb03508c6421efe0
SHA1

71d4534d1edf6a74369bb8abdbccd254255d5391
SHA256

d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2b
SHA512

c7dee9a9d2b51be81008182caa1f2f70f23b5c1ed4c815e44d6616bf58b44a5374699c650ac4711ffdd89a00bb766a5c3ddb1a464c74913bc504cb883f3a979d
SSDEEP

98304:JjhbDRAMazoYl0nxkUki2O/loAxf0Rd1izDicr2HTW5IpH0BzY:JjxDRAMoo20nxkUki2Eljx0RdM6cr2z3

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	Payload.exe
4904	XWormLoader.exe

Loads dropped DLL 12 IoCs

pid	Process
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe
4904	XWormLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2104	4904	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe
Token: 33	2848	Payload.exe
Token: SeIncBasePriorityPrivilege	2848	Payload.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5080	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2848	5028	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	86
PID 5028 wrote to memory of 2848	5028	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	86
PID 5028 wrote to memory of 2848	5028	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	86
PID 5028 wrote to memory of 4904	5028	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	87
PID 5028 wrote to memory of 4904	5028	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	87
PID 5028 wrote to memory of 4904	5028	d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe	87

C:\Users\Admin\AppData\Local\Temp\d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe
"C:\Users\Admin\AppData\Local\Temp\d2ef2dc4e906d9f9701f233fd85624d4d4ede7e5aac364cb5dd4a6659dc2da2bN.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1120
    3⤵
    - Program crash
    PID:2104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4904 -ip 4904
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
55KB

MD5
e595ad9e8bacf2d7b0d91ab5117cd35c

SHA1
c7a9ab7cf7d3cbed1808ce608cd4a949e7114778

SHA256
db11890b5a06a9856e04a0556be9711cefc49dad23328b51b94cf75fe8d26cd9

SHA512
e1eb45740c1fe871b4179b4450e18ecd381bc27eaa46da843e1cc5bdf46b4c58b1e5690a22539a287e2c0196dd572d662a4c3757c0751fa92fb3a62660452d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVGLib.dll

Filesize
241KB

MD5
5bbc659b819d1a39f1987136c7d8e014

SHA1
e6d9472deb956cff4b6d706ef475209ceb69d2cd

SHA256
45aa789e30b3239064645d2832e1cb70d132017817499ce73ceb0593a94bb4be

SHA512
5563a0dde515516f3c0cf231a8ad49e1c1c3081444b3159593ebec90d2fd20b0adde200184b0e4e30502ea3b9db3b04ac1f2a14c04bf10e81489f82173769f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

Filesize
101KB

MD5
39d81ca537ceb52632fbb2e975c3ee2f

SHA1
0a3814bd3ccea28b144983daab277d72313524e4

SHA256
76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7

SHA512
18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

Download Submit
memory/2848-76-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/2848-24-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/4904-56-0x00000000052E0000-0x00000000052E6000-memory.dmp

Filesize
24KB

Download
memory/4904-67-0x00000000054D0000-0x00000000054D6000-memory.dmp

Filesize
24KB

Download
memory/4904-73-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/4904-41-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/4904-72-0x0000000005620000-0x000000000563A000-memory.dmp

Filesize
104KB

Download
memory/4904-37-0x0000000004F10000-0x0000000004F52000-memory.dmp

Filesize
264KB

Download
memory/4904-61-0x0000000005460000-0x00000000054BE000-memory.dmp

Filesize
376KB

Download
memory/4904-32-0x0000000000070000-0x000000000008E000-memory.dmp

Filesize
120KB

Download
memory/4904-65-0x0000000005500000-0x0000000005556000-memory.dmp

Filesize
344KB

Download
memory/4904-66-0x0000000005420000-0x0000000005426000-memory.dmp

Filesize
24KB

Download
memory/4904-48-0x0000000005300000-0x0000000005328000-memory.dmp

Filesize
160KB

Download
memory/4904-71-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/5028-7-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/5028-57-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/5028-0-0x00007FFB76543000-0x00007FFB76545000-memory.dmp

Filesize
8KB

Download
memory/5028-1-0x0000000000100000-0x0000000000640000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing