njrat | 7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d

General

Target

7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe
Size

49KB
MD5

272e00ed89a593d788dc6454d7f2c0f4
SHA1

e6a6c8f32c83267523cf0bb2c946663c4912264c
SHA256

7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d
SHA512

87e6fa2422ce62b9123702b90968168a3512ddc6551ece3327fa82d680a1d5f7e466d95e796f9a9c150f32dddd35628b1a9be3afb01c9b4ac17d454dc1277eb2
SSDEEP

1536:M8blGZjjDoEzPOfpB8KKRhHwzptAN+NJ6nXMcemhuhyn:M8bAzPOIbPHwzYN+NTdhyn

Score

10^/10

njrat mal discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MAL

C2

12e1212:8888

Mutex

66e263e765a8ecf009ff45b8a895efff

Attributes

reg_key
66e263e765a8ecf009ff45b8a895efff
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	AcroRd32.exe
2760	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2568	2236	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe	29
PID 2236 wrote to memory of 2568	2236	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe	29
PID 2236 wrote to memory of 2568	2236	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe	29
PID 2236 wrote to memory of 2568	2236	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe	29
PID 2236 wrote to memory of 2568	2236	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe	29
PID 2236 wrote to memory of 2568	2236	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe	29
PID 2236 wrote to memory of 2568	2236	7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe	29
PID 2568 wrote to memory of 2760	2568	rundll32.exe	30
PID 2568 wrote to memory of 2760	2568	rundll32.exe	30
PID 2568 wrote to memory of 2760	2568	rundll32.exe	30
PID 2568 wrote to memory of 2760	2568	rundll32.exe	30

C:\Users\Admin\AppData\Local\Temp\7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe
"C:\Users\Admin\AppData\Local\Temp\7190d2d0d312dbcff88983c0fd93b0100af1fc880dea847aba35188e3465c81d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Server.exe��
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Server.exe��"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe��

Filesize
23KB

MD5
2458e6f4d38ea15f21d61353648b2324

SHA1
4f0ef95fc6ebad94749edbd2cec4fb10982db300

SHA256
e599bb402c73eec1cde52b6cbf459201f64206b509d0437176e9c12ebcecff50

SHA512
da838e635c7cc35e1c4957824569b6d4ddfa8b19f91b8d46e26cba3483c2a18fd858f6b51e8a0907d7285beb387b42f04c93826885b2c11c5dddd14d4b7376e5

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ddd6923e0eca25b1f3d3056dc68539fa

SHA1
79771f60a6e421083b373e2fa3b19260fd970044

SHA256
5debb6dfe147957faac4d28c72483b14a2c508a8fbe5a6cddec768cba2794fcf

SHA512
497989cf6a97b40694ef7d2b217d89df800722ac590bd2f79c9826ce5383212296b8b47de6ea6a173e0ed5612f78c69feba254720fd961f37985242079ece5ab

Download Submit
memory/2236-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/2236-2-0x0000000074EB0000-0x000000007559E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-4-0x0000000074EB0000-0x000000007559E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-5-0x0000000074EB0000-0x000000007559E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing