njrat | e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
Size

40KB
MD5

19b6cc62aec3fb6f57af96e8aa08e34a
SHA1

3fa40a227a903e02384f30f097a659d62ef7a474
SHA256

e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774
SHA512

2924a655f8afaa4f8d8319e8b674d51d30fea8f9be901632d9c6cb9ee6f35b083959803e5caad6d8506a6ed7b1aaede5784de63b525fa011695183beff8ebce8
SSDEEP

768:U4lD80GLtVB8TCbH9PRwxAtz/MfHiedUYOTAhe9j/9Vc:UuD8LtVB80FOWtz/MvRO9jfc

Score

10^/10

njrat byabolhb discovery trojan

Malware Config

Extracted

Family

njrat

Version

QUJPTEhC

Botnet

ByABOLHB

abolhb.com:505

Mutex

66f73d9b4e94d115b763eaa1ada7d1f1

Attributes

reg_key
66f73d9b4e94d115b763eaa1ada7d1f1
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe

Executes dropped EXE 2 IoCs

pid	Process
1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4968 set thread context of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 1928 set thread context of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 372 set thread context of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
2428	schtasks.exe
1072	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2952	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
Token: SeDebugPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe
Token: 33	2952	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2952	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 2848	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	82
PID 4968 wrote to memory of 2848	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	82
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 4968 wrote to memory of 2952	4968	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	84
PID 1928 wrote to memory of 2428	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	95
PID 1928 wrote to memory of 2428	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	95
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 1928 wrote to memory of 2228	1928	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	97
PID 372 wrote to memory of 1072	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	99
PID 372 wrote to memory of 1072	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	99
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101
PID 372 wrote to memory of 2388	372	e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
"C:\Users\Admin\AppData\Local\Temp\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774" /tr "C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774" /tr "C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228

C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774" /tr "C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe

Filesize
40KB

MD5
19b6cc62aec3fb6f57af96e8aa08e34a

SHA1
3fa40a227a903e02384f30f097a659d62ef7a474

SHA256
e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774

SHA512
2924a655f8afaa4f8d8319e8b674d51d30fea8f9be901632d9c6cb9ee6f35b083959803e5caad6d8506a6ed7b1aaede5784de63b525fa011695183beff8ebce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e0c85e56056a0a1bb926856b7930367fee168c6591cc7e48660607259b4a9774.exe.log

Filesize
862B

MD5
fed7b5f63e32f0db8ec8d665d5fd1c6e

SHA1
2d8782df90b28b75a69e8ed78af035e33071ed3c

SHA256
59964b2f325a77285fd0c186fda9454654e666ad7a976997aa7ca168af3c42a3

SHA512
6c958e810c632d8f6d2450d0fb3baedb19d2a2ad89eceaf3133aee6e464d589b319ef6bb27baf30f44566db59dd2162fa28c349d84ff9fddeeb1718a4af28d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
14f6fe662bf38c2254ef2436b302b443

SHA1
aeffced8cf7f54bde0ca62425c3c40622502849e

SHA256
a18598afa05e33bda249b03c44b47893362cf9830567cbefef958e5cbc2c7b34

SHA512
b94d52ee359451331c184bf6d545a5d33a52511bf908ebeb648ac52ea71da628fddd174284a8c841dc729fd635eb9a12f76fdf5838794ee5d45d9a4220f53049

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot.png

Filesize
424KB

MD5
ab074b654f568cbe164670da728ec5b4

SHA1
764e0f00dac4b14ae788aa20499c9d8d751a4bfc

SHA256
b31c5337470b2b6e845dfe8638f33210effa9e3927dce0e75b944a4dca7f3eda

SHA512
57fb38a3485cafa4651d5969812ce67b7aed8d74b492602df88d7d57792ddac0afe1cbe38e67a2967b012dbfc18c52e985ced2cc42041ea6ed63c34c90f9e202

Download Submit
memory/2952-17-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-7-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/2952-8-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/2952-9-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-10-0x0000000006670000-0x0000000006702000-memory.dmp

Filesize
584KB

Download
memory/2952-14-0x0000000006C00000-0x0000000006C9C000-memory.dmp

Filesize
624KB

Download
memory/2952-15-0x0000000006D00000-0x0000000006D0A000-memory.dmp

Filesize
40KB

Download
memory/2952-16-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/2952-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4968-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download
memory/4968-6-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-4-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-1-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads