njrat | 29551a26f72fa6c387909b88ffcad535db08f17e0b62781478a0097070f48dde

General

Target

SQLBOX.exe
Size

8.0MB
MD5

79f7442af52bd4ce3ccc1894d4841d16
SHA1

ec752f917e4043aa27a49a5282e9f9d4f538829f
SHA256

29551a26f72fa6c387909b88ffcad535db08f17e0b62781478a0097070f48dde
SHA512

972ebfca52b010df791ddef879f312133f7f11e3e63b4096cf901ba6203b244f9e8a3a37e9055d437476bc54931e68763369fb8c1f6fc900ab60e452fe149cd1
SSDEEP

196608:jp8UI0VdmlV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftmcg:lJPmy90jVvBXvoww77rccg

Score

10^/10

njrat hacked evasion persistence privilege_escalation themida trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

6cpanel.hackcrack.io:35798

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SQLBOX .exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2948	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SQLBOX .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SQLBOX .exe

Executes dropped EXE 7 IoCs

pid	Process
864	Setup.exe
2992	Setup.exe
2820	SQLBOX .exe
2988	svchost.exe
2964	svchost.exe
2388	explorer.exe
2016	explorer.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	SQLBOX .exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0009000000016650-41.dat	themida
behavioral1/memory/2820-44-0x000007FEE91E0000-0x000007FEE9A4C000-memory.dmp	themida
behavioral1/memory/2820-45-0x000007FEE91E0000-0x000007FEE9A4C000-memory.dmp	themida
behavioral1/memory/2820-54-0x000007FEE91E0000-0x000007FEE9A4C000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SQLBOX .exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2820	SQLBOX .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe
Token: 33	2016	explorer.exe
Token: SeIncBasePriorityPrivilege	2016	explorer.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 864	2672	SQLBOX.exe	31
PID 2672 wrote to memory of 864	2672	SQLBOX.exe	31
PID 2672 wrote to memory of 864	2672	SQLBOX.exe	31
PID 2672 wrote to memory of 2992	2672	SQLBOX.exe	32
PID 2672 wrote to memory of 2992	2672	SQLBOX.exe	32
PID 2672 wrote to memory of 2992	2672	SQLBOX.exe	32
PID 2672 wrote to memory of 2820	2672	SQLBOX.exe	33
PID 2672 wrote to memory of 2820	2672	SQLBOX.exe	33
PID 2672 wrote to memory of 2820	2672	SQLBOX.exe	33
PID 864 wrote to memory of 2988	864	Setup.exe	34
PID 864 wrote to memory of 2988	864	Setup.exe	34
PID 864 wrote to memory of 2988	864	Setup.exe	34
PID 2992 wrote to memory of 2964	2992	Setup.exe	35
PID 2992 wrote to memory of 2964	2992	Setup.exe	35
PID 2992 wrote to memory of 2964	2992	Setup.exe	35
PID 2820 wrote to memory of 1808	2820	SQLBOX .exe	36
PID 2820 wrote to memory of 1808	2820	SQLBOX .exe	36
PID 2820 wrote to memory of 1808	2820	SQLBOX .exe	36
PID 2964 wrote to memory of 2388	2964	svchost.exe	37
PID 2964 wrote to memory of 2388	2964	svchost.exe	37
PID 2964 wrote to memory of 2388	2964	svchost.exe	37
PID 2388 wrote to memory of 2016	2388	explorer.exe	38
PID 2388 wrote to memory of 2016	2388	explorer.exe	38
PID 2388 wrote to memory of 2016	2388	explorer.exe	38
PID 2016 wrote to memory of 2948	2016	explorer.exe	39
PID 2016 wrote to memory of 2948	2016	explorer.exe	39
PID 2016 wrote to memory of 2948	2016	explorer.exe	39

C:\Users\Admin\AppData\Local\Temp\SQLBOX.exe
"C:\Users\Admin\AppData\Local\Temp\SQLBOX.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:2988
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\system32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2948
- C:\Users\Admin\AppData\Local\Temp\SQLBOX .exe
  "C:\Users\Admin\AppData\Local\Temp\SQLBOX .exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2820 -s 664
    3⤵
    PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SQLBOX .exe

Filesize
7.5MB

MD5
fa35e080ce9441a661011a8c2c3409a3

SHA1
57988d0350d8aa53f316fef36022062b020156ec

SHA256
d2a37daeb942c91b911206e61bc622720e9cbbb1be554c584807eaf6aec31cce

SHA512
e8d54789744fc2c99473d330c2e2fa694e5d54b45e91e592fdb29b153fa4dc01244d8e0099351ff44f3d472480600b61b0d4ea96f24805777caf5623f2ff9c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
453KB

MD5
97994092e05077b39d7fb87431ab7adb

SHA1
ff8be763236b024101522cfbc87b4251160b6a46

SHA256
76e63501c05b67e096c740e3fb4d9bc04e159e0ceafbe2e3c390864593c9b8eb

SHA512
63e10f2e52af80f75cb55efa3fe399edc9dda5637709ddf760fa7287a95b2c8ed9db3aa25e19aa58495d3d63352c36ee3e40c019f074ce43d123d11aec7f026a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
341KB

MD5
e000e5c930a9c3d1e1e15dd8d25fc153

SHA1
1a01d9cb0d4b507aea4d119a7933fa2196a0195b

SHA256
5a8c9856cfd33fa50eeb00ea9d427b59d9e407f20393a3c25537af22382859ca

SHA512
90686821fbb9c8d022cf471387910ba3d760660ae9e55db8fbd345f7a731dce38390e40e9579dadb36b8032f071b5d61ea82cc021452aff42970f6a6adc4ce06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
319KB

MD5
52458647042feceb53ddfad2a210332a

SHA1
b85d0da8c2ba4142e43c0adc9e914c7d47287ba3

SHA256
5afe1b4584a086f703308ae0f355f67902d157dfd36db8e09c3873dcfe9143aa

SHA512
d1787d2b95462f46d22bd98980fb4f29368bd226aa1a6f98b02155d235d2df7c7575299b264cc0fa2ebfb63e99225e663ff0cb5cfb68fdc601add5139e129898

Download Submit
\Users\Admin\AppData\Local\Temp\0fa65e01-327d-4b20-9b75-911d8166df3c\sToRmDOT64.dll

Filesize
3.1MB

MD5
4d8082b3de02f82db9a515e9dab5d2b6

SHA1
057a20ade70244601d0fe50f7011c95bae335ea5

SHA256
936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c

SHA512
7b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d

Download Submit
memory/864-21-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/864-22-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/864-23-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/864-18-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/864-37-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-61-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2672-27-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-0-0x000007FEF63BE000-0x000007FEF63BF000-memory.dmp

Filesize
4KB

Download
memory/2672-7-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-2-0x000007FEF6100000-0x000007FEF6A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-25-0x00000000002D0000-0x0000000000A56000-memory.dmp

Filesize
7.5MB

Download
memory/2820-44-0x000007FEE91E0000-0x000007FEE9A4C000-memory.dmp

Filesize
8.4MB

Download
memory/2820-45-0x000007FEE91E0000-0x000007FEE9A4C000-memory.dmp

Filesize
8.4MB

Download
memory/2820-46-0x000007FEF2650000-0x000007FEF277C000-memory.dmp

Filesize
1.2MB

Download
memory/2820-54-0x000007FEE91E0000-0x000007FEE9A4C000-memory.dmp

Filesize
8.4MB

Download
memory/2964-36-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads