njrat | 861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953

General

Target

861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe
Size

93KB
MD5

ccb06fa4b339cc8ff5ae2331dda084b4
SHA1

0d1af1ebe0cb29ebf9ea4c76a7630661553b64db
SHA256

861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953
SHA512

a716f4906ac8ba1135471deef804e886891cfdc7b3f8b8d471a8fec0aadb0a39051b5adb3930c6a715b2c7a6a46168bacb6ef9705925bfd02fd88b4ebc335952
SSDEEP

1536:InwEnYi9bzKuZ+8uZ3nV5XS65mkrPZ58kzQ+e+e+:IwaYi9bsh7J7M+e+e+

Score

10^/10

njrat steam discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Steam

C2

40.80.147.203:8080

Mutex

Steam

Attributes

reg_key
Steam
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Steam.exe

Executes dropped EXE 1 IoCs

pid	Process
4628	Steam.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Windows\\Steam.exe"	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Steam.exe	attrib.exe
File created	C:\Windows\Steam.exe	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe
Token: 33	4628	Steam.exe
Token: SeIncBasePriorityPrivilege	4628	Steam.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4628	4792	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe	91
PID 4792 wrote to memory of 4628	4792	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe	91
PID 4792 wrote to memory of 4628	4792	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe	91
PID 4792 wrote to memory of 4192	4792	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe	92
PID 4792 wrote to memory of 4192	4792	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe	92
PID 4792 wrote to memory of 4192	4792	861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe	92
PID 4628 wrote to memory of 2408	4628	Steam.exe	99
PID 4628 wrote to memory of 2408	4628	Steam.exe	99
PID 4628 wrote to memory of 2408	4628	Steam.exe	99
PID 4628 wrote to memory of 3536	4628	Steam.exe	100
PID 4628 wrote to memory of 3536	4628	Steam.exe	100
PID 4628 wrote to memory of 3536	4628	Steam.exe	100

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4192	attrib.exe
2408	attrib.exe
3536	attrib.exe

C:\Users\Admin\AppData\Local\Temp\861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe
"C:\Users\Admin\AppData\Local\Temp\861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\Steam.exe
  "C:\Windows\Steam.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2408
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Steam.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3536
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Windows\Steam.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk

Filesize
1KB

MD5
747ab73eda9f1699d9642b4b6138e8bc

SHA1
eefe90f618f2195e112d4ce967711792ab55688b

SHA256
d1a1dac4d709aca9f9d3cdccc8cee82715fec09db136399967e81931e18f7856

SHA512
29cb36eb768efc5b5bb279166cfd7524179f01f5c694d12ae7109679542d7e1e0b1290e9370405ab17aac6be826508c5a88554a7427068c913a7f89a57d50d49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Steam.lnk

Filesize
1KB

MD5
8311fe8724863d68eaa4411ebd3ea82e

SHA1
71dfcb7d233201b79ffa17bb7b5a1a9a04b35d19

SHA256
232ac349846ed38e5fe2219585059cced5d61967351bb0e2d7dde70b608932d3

SHA512
49ff96c39d71af0870d0c7cb5c71355bc9b857f1bb406864a8beb65b9878c609561bd85fd1993e769c06250c2c58cf8d177b5c376fc5a42247901cfff64544e0

Download Submit
C:\Windows\Steam.exe

Filesize
93KB

MD5
ccb06fa4b339cc8ff5ae2331dda084b4

SHA1
0d1af1ebe0cb29ebf9ea4c76a7630661553b64db

SHA256
861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953

SHA512
a716f4906ac8ba1135471deef804e886891cfdc7b3f8b8d471a8fec0aadb0a39051b5adb3930c6a715b2c7a6a46168bacb6ef9705925bfd02fd88b4ebc335952

Download Submit
memory/4628-22-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4628-17-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4628-24-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4628-25-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/4628-26-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/4628-27-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-5-0x00000000062C0000-0x0000000006864000-memory.dmp

Filesize
5.6MB

Download
memory/4792-14-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/4792-2-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/4792-1-0x0000000000AB0000-0x0000000000ACE000-memory.dmp

Filesize
120KB

Download
memory/4792-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads