Overview

overview

10

Static

static

10

for virutotal ni.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    323s
  • max time network
    324s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-10-2024 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    for virutotal ni.zip

  • Size

    45KB

  • MD5

    1a2368d23f8d860cdfc3ba6bb18536fa

  • SHA1

    cda69dd2f3e6ef00adf3dceb7f403c95030376a7

  • SHA256

    37882f4164207e92923b63e30c96fa762833603f0967f65102be70b605c631f3

  • SHA512

    c030a4c906ed7bb9ae40c0b12f1c000225986fcd79b68f3c4a51eddc9b16614e37dc055ccd113ab598ebd0c37069eba81d52a74d1a40b01dfdf7a02a54fc1499

  • SSDEEP

    768:8g/qN7Df5msVdlrz4XqaKScBdmFITsH9y4FtYs74yRybclk1gz/b75yB4PGyEvkB:rqh5tVvrk6icBd6EsdyjskGrlggv9yBY

Score
10/10
discordratnjratfarteddiscoverypersistenceratrootkitstealertrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

farted

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5OTA1NDUwMzg1Mjc3MzQ3OQ.Gam-5g.mMYt_UiACKf3lceb5vBDHE9GHZi685c16_84bo

  • server_id

    1299046739898011668

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\for virutotal ni.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2808
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4984
    • C:\Users\Admin\Desktop\for virutotal ni\free robux.exe
      "C:\Users\Admin\Desktop\for virutotal ni\free robux.exe"
      1⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1984
    • C:\Users\Admin\Desktop\for virutotal ni\Client-built.exe
      "C:\Users\Admin\Desktop\for virutotal ni\Client-built.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3712
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3784
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4260
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2364
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4392
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Drops file in Windows directory
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff315fcc40,0x7fff315fcc4c,0x7fff315fcc58
        2⤵
          PID:1020
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1752,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
          2⤵
            PID:3192
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:3
            2⤵
              PID:2528
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2080,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2356 /prefetch:8
              2⤵
                PID:2680
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
                2⤵
                  PID:5076
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
                  2⤵
                    PID:4376
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
                    2⤵
                      PID:4836
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3772 /prefetch:8
                      2⤵
                        PID:4820
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3516,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
                        2⤵
                          PID:1468
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
                          2⤵
                            PID:1480
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
                            2⤵
                              PID:3800
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
                              2⤵
                                PID:4596
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,1368852295711436891,15145002084221393694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:8
                                2⤵
                                  PID:1476
                              • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                1⤵
                                  PID:2904
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                  1⤵
                                    PID:4748
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                    1⤵
                                      PID:4304
                                    • C:\Users\Admin\AppData\Local\Temp\Server.exe
                                      C:\Users\Admin\AppData\Local\Temp/Server.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:1812

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                      Filesize

                                      649B

                                      MD5

                                      f648576190cc86c51434411953af6856

                                      SHA1

                                      f004e083665ff59638b1038a00ea831432fa2e53

                                      SHA256

                                      6b3bc2144b7235c687b181cd72d9cf57f7a6d007b80a2f45ed3145331629a466

                                      SHA512

                                      46a4b8780994ed86f35ea123535693e8ed2922f2c4aae359f701a4c9caa52a5ec08c1acd6c69a68f98ac3f8250f689513027f0c26040fa313c568165127252b9

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                      Filesize

                                      2B

                                      MD5

                                      d751713988987e9331980363e24189ce

                                      SHA1

                                      97d170e1550eee4afc0af065b78cda302a97674c

                                      SHA256

                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                      SHA512

                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                      Filesize

                                      356B

                                      MD5

                                      57e68193dd594740d2866ededfc2c510

                                      SHA1

                                      a7a2ee171c400e002ceb190149441602b2ca562f

                                      SHA256

                                      6bc97bc1a507b8bad838f945c1ed2bc1a4af891398767a0b4764ea7423793e29

                                      SHA512

                                      89035cd310ccdb6cab665c55df119286c2a773a18be2fcc56da6bd96814f02df4a68b2bbd7f2a51a78974fc84bfb374f62f0e0b5f8d923431176787a814ffe50

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                      Filesize

                                      9KB

                                      MD5

                                      58896225146ed455107b2d473d4465eb

                                      SHA1

                                      8184d9d34859202486319c34a7e9c226c0891c1a

                                      SHA256

                                      24b5220d639cd3c76aa8d8482e418dd744788af798249eb30111ceee6591bcca

                                      SHA512

                                      32d8e9edadc0947a778dfe563ede99840fb66533c6484d0ae16704ddcfe668f081fde24f7f25d85068baae35a3f446a951801ee467cc6b801421e6dc7e3bf33c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                      Filesize

                                      8KB

                                      MD5

                                      e6f2cc334a4556406aa70f31cdf24d50

                                      SHA1

                                      9c60eafef30726be134bd869d55305f7dbcb8f49

                                      SHA256

                                      888587ea4f242d0aaa7d63931a9d483379bbea009c2c6bd6115642c346a037b7

                                      SHA512

                                      bce1d12aab4428639bc98e19ce58c441c9d039e7d8c3484f96fb0be386c342b47a5759026413dec83cdde103e5976a10a71b9ae740c8f5ee782212f571e80977

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                      Filesize

                                      8KB

                                      MD5

                                      cb35597a1bb6fcb1bab788a44bebed09

                                      SHA1

                                      6b30e09348f327e96a86eab927dd4b7c612cba9a

                                      SHA256

                                      5f57fff29ff47d9edf0d42ae192489162c9257de90fc29e0ef531dd02c8b674e

                                      SHA512

                                      e6cbcf3273c62051d0972e21c23dce480afb50a99c11edeb21e0c0fbd2d23565a535a93f76709a489d709223dfd0904d5b75d502e35854442eb748a425ec2d3a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                      Filesize

                                      15KB

                                      MD5

                                      82e501fcd84ee8613a1ce8301691bbc5

                                      SHA1

                                      1541b7172b0fe14c148b1f9fad22e597b2de46e5

                                      SHA256

                                      047b9127adeaa0dd62a3fa347c71cdbc42ccd44779b2e14b96f529aa9d6f61e0

                                      SHA512

                                      f1cc226ebd5e9001d3f2689efefc78c35ddd9f86d30023f27728f668e1662895722cb6687c45b2445a9510132d29893446a4f7a1ee5a89ce6034f2a5d9acd438

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                      Filesize

                                      231KB

                                      MD5

                                      08295e708234e016e224e095c0cbf030

                                      SHA1

                                      01b852f9261adecc4070d78c66be844a6c5f38ca

                                      SHA256

                                      f27027f6ee6ee430da0486cda0d824d2bec826c694556a7e74cdf46f8e8c6ccb

                                      SHA512

                                      3230e827c9ff4b358e1b7805eb0619efe9afdbed750c19c92fdf077a3d1881f2fae480ba393e398aac00b091f60e6696fc24f0c67c3ce3867d98abc1a64b107b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                      Filesize

                                      231KB

                                      MD5

                                      418d0a4ea292cbb3dc2d28a67803ea18

                                      SHA1

                                      b831213d4ad9970b46a658bf7caded63b954cf35

                                      SHA256

                                      9c1cccc8252f178fc01754de8412cc573d349866398fc9367d37d3c0c2137205

                                      SHA512

                                      b3da1d4253ee707a465dd5359cf6c31a46132821c2ae15d2cc2a07639a06f2b775d43a9e9118055df3f7dcac73c1d9bf0adc4976936f89ecb415f72c8a7973bd

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log
                                      Filesize

                                      408B

                                      MD5

                                      4338163b0a952ee13772dcaa8e005be6

                                      SHA1

                                      b08b4666d855da02ce46aa4dca059e9e2c353a4f

                                      SHA256

                                      5fda32bcd2006c3a7b83d0be172d1aadfda31fabdd519a168f2cea676fba832c

                                      SHA512

                                      a36ed33ea34a8ab0d8887cda134db49eeafdb5e34594f047463de059d56c94875c2f7f3c0d9755ccabaa1a75c1b15b577e89e2de9ef4d3a231bc78de188665f8

                                      Download Submit

                                    • C:\Users\Admin\Desktop\for virutotal ni\Client-built.exe
                                      Filesize

                                      78KB

                                      MD5

                                      623f9705e81e545bc3cb058a60bd8562

                                      SHA1

                                      f07e26f819b00fce21e048776c86681b766b9cac

                                      SHA256

                                      a7a0be31f89c3b9bc7b19a7c857159aec636cd371dfe9a4991d916b48e87505b

                                      SHA512

                                      041546e60176ed35dc4a3bb7254624ce44a5f6db82cb9a852df1bae6dd286fc8319729d839fb6e93163855b498a4e5ac770c2944fbdc52c217a52fdbe31d05df

                                      Download Submit

                                    • C:\Users\Admin\Desktop\for virutotal ni\free robux.exe
                                      Filesize

                                      43KB

                                      MD5

                                      9d09a9b050fac60119925f0c3a00b963

                                      SHA1

                                      1accf3fe4fb111fb8bf7a03b6493394740947e30

                                      SHA256

                                      133d7311998506ce3d54fc29c4279a67fc208160ee0714c5bd3586c2d6d399e7

                                      SHA512

                                      d17390bbd00409bbf7160982384e1e2ac8fef77f90f37ea6b6de9e404db568077906e8ef0a67a681c1c94917b58a3c96bf40df96fcaa7c5df4058721e9b2261d

                                      Download Submit

                                    • memory/336-17-0x0000000075020000-0x00000000755D1000-memory.dmp

                                      Filesize

                                      5.7MB

                                      Download

                                    • memory/336-16-0x0000000075020000-0x00000000755D1000-memory.dmp

                                      Filesize

                                      5.7MB

                                      Download

                                    • memory/336-8-0x0000000075020000-0x00000000755D1000-memory.dmp

                                      Filesize

                                      5.7MB

                                      Download

                                    • memory/336-7-0x0000000075020000-0x00000000755D1000-memory.dmp

                                      Filesize

                                      5.7MB

                                      Download

                                    • memory/336-6-0x0000000075021000-0x0000000075022000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/3712-13-0x000002C930E20000-0x000002C931348000-memory.dmp

                                      Filesize

                                      5.2MB

                                      Download

                                    • memory/3712-12-0x000002C92F9A0000-0x000002C92FB62000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/3712-11-0x000002C915340000-0x000002C915358000-memory.dmp

                                      Filesize

                                      96KB

                                      Download