njrat | c32a5b371401abc7904e2bfaddc23f69ef7c8a7d40bd3e7a8f045f6de64a3201

General

Target

Bloxstrap.exe
Size

11.2MB
MD5

29ca7831b80bf263095bb878555b5161
SHA1

7190385a69c313a6cc9d60a17434b2227d01edc3
SHA256

c32a5b371401abc7904e2bfaddc23f69ef7c8a7d40bd3e7a8f045f6de64a3201
SHA512

4c3b75db351f59a5842d6bb4d212cdf25282525bf5683864b40580e56c3976464e335bcd5d737da990a4737ea4a217a494fac56868700a9db41e4af4b24dae06
SSDEEP

98304:ksqZ+pv3Tscod5DFasb/r5vGWD3EOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrTlUv:ksqZ+pLscVsb/r5vGlObAbN0

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

saw-shirts.gl.at.ply.gg:4164

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 4 IoCs

pid	Process
2656	BLOXSTRAP-V2.8.1 (1).EXE
2776	DLLHOST.EXE
1184	Process not Found
1136	Dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	Bloxstrap.exe
1728	Bloxstrap.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Dllhost.exe	Dllhost.exe
File created	C:\Windows\Dllhost.exe	DLLHOST.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DLLHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxstrap.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2776	DLLHOST.EXE
1136	Dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	Dllhost.exe
Token: 33	1136	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1136	Dllhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2656	1728	Bloxstrap.exe	30
PID 1728 wrote to memory of 2656	1728	Bloxstrap.exe	30
PID 1728 wrote to memory of 2656	1728	Bloxstrap.exe	30
PID 1728 wrote to memory of 2656	1728	Bloxstrap.exe	30
PID 1728 wrote to memory of 2776	1728	Bloxstrap.exe	31
PID 1728 wrote to memory of 2776	1728	Bloxstrap.exe	31
PID 1728 wrote to memory of 2776	1728	Bloxstrap.exe	31
PID 1728 wrote to memory of 2776	1728	Bloxstrap.exe	31
PID 2776 wrote to memory of 1136	2776	DLLHOST.EXE	32
PID 2776 wrote to memory of 1136	2776	DLLHOST.EXE	32
PID 2776 wrote to memory of 1136	2776	DLLHOST.EXE	32
PID 2776 wrote to memory of 1136	2776	DLLHOST.EXE	32

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE
  "C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\DLLHOST.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\Dllhost.exe
    "C:\Windows\Dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
\Users\Admin\AppData\Local\Temp\DLLHOST.EXE

Filesize
43KB

MD5
9f42922c0a3f6d8ea2f14cacd6d833a2

SHA1
26599b63a7128de66f90d3845bdf914c14933fff

SHA256
bf1309dd22cc8153fb839915f3924eb656c7a331599a4b3d4f98ab3873413f9a

SHA512
772caa71cbe0ed4c74bd9311a0a2d941b2eed4c40f49bf318094a1c04b438d9a547a5abef80b96bb3e902f3aaffe02ad26de6f5f8c63f078bd621b87f9009e4d

Download Submit
memory/1136-21-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2776-12-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/2776-14-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing