njrat | 2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Size

39KB
MD5

b7bfb490147c56a3f3480101df954fa9
SHA1

faaf01d73a5c7e7a65c9553c1e9ff0d7256a2624
SHA256

2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4
SHA512

277ddfdb46fc81f00a76dc765562728737918b6f2f50def5d5201c730350c9c74a1632a3f6c884e7984271b088e6dd713763e6d856ceaf3819a63b07c5db9ee9
SSDEEP

768:VvASIisql251c6opnV0jZJ/s8B8RnVMZ8pBz3bdHUCRKSBsL+DEplyLnEI:inql2ncFpngZFsrKcZRKSCL+D+w9

Score

10^/10

njrat loshara persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

loshara

127.0.0.1:80

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
|Ghost|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

Processes:

2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe\" .."	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe\" .."	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

pid	Process
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

description	pid	Process
Token: SeDebugPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: 33	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
Token: SeIncBasePriorityPrivilege	2656	2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe

C:\Users\Admin\AppData\Local\Temp\2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe
"C:\Users\Admin\AppData\Local\Temp\2e29fc015c30f726fb2c8fe8a687638cd523ceeb51a79d068b45cd61ac1b00b4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2656-0-0x000007FEF642E000-0x000007FEF642F000-memory.dmp

Filesize
4KB

Download
memory/2656-1-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/2656-2-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-3-0x000007FEF642E000-0x000007FEF642F000-memory.dmp

Filesize
4KB

Download
memory/2656-4-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-5-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-9-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-10-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download