njrat | f387495a19565298da82fe21ab89a18793055c751557ed1e10145fe07f0d0cd3

General

Target

System.exe
Size

43KB
MD5

79883d324ddf30f7c4d20587d9bf1d42
SHA1

3bd4ab4de6cdfa463a5777c55d216fdd31d85d37
SHA256

f387495a19565298da82fe21ab89a18793055c751557ed1e10145fe07f0d0cd3
SHA512

efbd2c828f2e361e6555aebd27e18ca13d82c99d5bd010ba8931901fc2bdd182080232e20f60d3faa138654adf4944541cd914946ca12ce658542db37942ad5d
SSDEEP

384:xZy5n2+Ww9xo1iDc8y2O1kl2thNElAWbDdzmzcIij+ZsNO3PlpJKkkjh/TzF7pWu:jIqU452k06ibmuXQ/o81+Lr

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

hospital-selling.gl.at.ply.gg:4839

Mutex

Bloxstrap Updater

Attributes

reg_key
Bloxstrap Updater
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	Dllhostt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Dllhostt.exe	Dllhostt.exe
File created	C:\Windows\Dllhostt.exe	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllhostt.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2364	System.exe
2596	Dllhostt.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe
Token: 33	2596	Dllhostt.exe
Token: SeIncBasePriorityPrivilege	2596	Dllhostt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2596	2364	System.exe	86
PID 2364 wrote to memory of 2596	2364	System.exe	86
PID 2364 wrote to memory of 2596	2364	System.exe	86

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Dllhostt.exe
  "C:\Windows\Dllhostt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Dllhostt.exe

Filesize
43KB

MD5
79883d324ddf30f7c4d20587d9bf1d42

SHA1
3bd4ab4de6cdfa463a5777c55d216fdd31d85d37

SHA256
f387495a19565298da82fe21ab89a18793055c751557ed1e10145fe07f0d0cd3

SHA512
efbd2c828f2e361e6555aebd27e18ca13d82c99d5bd010ba8931901fc2bdd182080232e20f60d3faa138654adf4944541cd914946ca12ce658542db37942ad5d

Download Submit
memory/2364-3-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/2364-2-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/2364-0-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/2364-4-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2364-5-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/2364-1-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2364-15-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2596-16-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2596-17-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2596-18-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/2596-19-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2596-20-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing