njrat | 24f4b10f40eb128bab7c7692f3dee8892c91bdb5d8d40e5231543726dda521e4

General

Target

FiveM File + Error Fixer.exe
Size

93KB
MD5

45c9b9fa6b615cd1f013e13d8b3054bb
SHA1

fc0c3e255a13aa5ae27f6c290ce329bed5265453
SHA256

24f4b10f40eb128bab7c7692f3dee8892c91bdb5d8d40e5231543726dda521e4
SHA512

743ec0a866258b81a65f432d9179a151f770e141a933ba43d640ce4479533207b5c105fd6a2fc15b6818bd4324a652209c3a3a64de81da372cd5e268d6a0d3d3
SSDEEP

1536:MPPmqVulfoEGUeFXAOPc+jEwzGi1dDjDmgS:MP8lfodUeBAOPcHi1dDL

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

660d96b74fc3ffcb1da26329a0336912

Attributes

reg_key
660d96b74fc3ffcb1da26329a0336912
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3020 netsh.exe

pid	process
3020	netsh.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

668 server.exe
Loads dropped DLL 2 IoCs

Processes:

FiveM File + Error Fixer.exe

pid process

2060 FiveM File + Error Fixer.exe
2060 FiveM File + Error Fixer.exe
Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Explower.exe server.exe
File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
668	server.exe

pid	process
2060	FiveM File + Error Fixer.exe
2060	FiveM File + Error Fixer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.exeFiveM File + Error Fixer.exeserver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiveM File + Error Fixer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

668 server.exe

pid	process
668	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

FiveM File + Error Fixer.exeserver.exe

description	pid	process	target process
PID 2060 wrote to memory of 668	2060	FiveM File + Error Fixer.exe	server.exe
PID 2060 wrote to memory of 668	2060	FiveM File + Error Fixer.exe	server.exe
PID 2060 wrote to memory of 668	2060	FiveM File + Error Fixer.exe	server.exe
PID 2060 wrote to memory of 668	2060	FiveM File + Error Fixer.exe	server.exe
PID 668 wrote to memory of 3020	668	server.exe	netsh.exe
PID 668 wrote to memory of 3020	668	server.exe	netsh.exe
PID 668 wrote to memory of 3020	668	server.exe	netsh.exe
PID 668 wrote to memory of 3020	668	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\FiveM File + Error Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\FiveM File + Error Fixer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
f478c76bbb3174dbc7fabae62224f818

SHA1
bed239508bad9fcd15a9bdea1e132f62468d07d1

SHA256
d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a

SHA512
b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
45c9b9fa6b615cd1f013e13d8b3054bb

SHA1
fc0c3e255a13aa5ae27f6c290ce329bed5265453

SHA256
24f4b10f40eb128bab7c7692f3dee8892c91bdb5d8d40e5231543726dda521e4

SHA512
743ec0a866258b81a65f432d9179a151f770e141a933ba43d640ce4479533207b5c105fd6a2fc15b6818bd4324a652209c3a3a64de81da372cd5e268d6a0d3d3

Download Submit
memory/668-14-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/668-16-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/668-21-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-15-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads