njrat | 98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625

General

Target

98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe
Size

123KB
MD5

2120b66a2246d7661a980043ab82f05c
SHA1

bb57a1ff817a59492a60fd5f61007a8e437197ec
SHA256

98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625
SHA512

255a3a45032dc744c95afa20a63f87b8714576fb1d7305d45a40f4501228489c740f56677aad88496bc470d2f3adc540b1448155813ec0639da1b5aee24cc6e5
SSDEEP

3072:66/KF8sHs5WTjcCQmdsbGluHPxPhIH0j+2jCT:y/s5WVQJ5iZ2+T

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe

Executes dropped EXE 2 IoCs

pid	Process
1680	system.exe
4896	system.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3868 set thread context of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 1680 set thread context of 4896	1680	system.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4612	4896	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe
Token: SeDebugPrivilege	1680	system.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 3868 wrote to memory of 1764	3868	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	85
PID 1764 wrote to memory of 1680	1764	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	95
PID 1764 wrote to memory of 1680	1764	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	95
PID 1764 wrote to memory of 1680	1764	98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe	95
PID 1680 wrote to memory of 4896	1680	system.exe	97
PID 1680 wrote to memory of 4896	1680	system.exe	97
PID 1680 wrote to memory of 4896	1680	system.exe	97
PID 1680 wrote to memory of 4896	1680	system.exe	97

C:\Users\Admin\AppData\Local\Temp\98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe
"C:\Users\Admin\AppData\Local\Temp\98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe
  C:\Users\Admin\AppData\Local\Temp\98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\system.exe
    "C:\Users\Admin\AppData\Local\Temp\system.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\system.exe
      C:\Users\Admin\AppData\Local\Temp\system.exe
      4⤵
      Executes dropped EXE
      PID:4896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 80
        5⤵
        Program crash
        
        PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4896 -ip 4896
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625.exe.log

Filesize
418B

MD5
98eea38457c9976c0ec48b5a70964041

SHA1
281ec6ada096be89ade13852ca86edfe42ffe3c1

SHA256
4a7455429d6f3c7390f97bc406d0bcc7d64ddff6bee5ffa9e88c5a75f806bfcf

SHA512
adb7bb4e1434d743932890aede4daa55c6e9f091415292775313dd172949fbd415f124c97e017a8204aab530b6184f196ab5cce005781b0853ffccc620f07530

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
123KB

MD5
2120b66a2246d7661a980043ab82f05c

SHA1
bb57a1ff817a59492a60fd5f61007a8e437197ec

SHA256
98beb11128477233f510135ca515e2daa0ecfd35b90992715c84a0faa71d7625

SHA512
255a3a45032dc744c95afa20a63f87b8714576fb1d7305d45a40f4501228489c740f56677aad88496bc470d2f3adc540b1448155813ec0639da1b5aee24cc6e5

Download Submit
memory/1680-26-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1680-25-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1680-22-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1764-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1764-21-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1764-8-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3868-3-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/3868-9-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3868-7-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3868-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/3868-2-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/3868-1-0x0000000000B90000-0x0000000000BAE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing