njrat | eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96

Analysis

max time kernel
65s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
Size

40KB
MD5

b9dc64873f89fdd117a3d009ed7173f0
SHA1

04ceb5aff8161fadbc4998e1100c02cb291e689e
SHA256

eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96
SHA512

85ff98648dd389904ae03687fa6c40a891d5156697e2fb4f351b68906c8b07c9ed141f460ee32c20a4f7e7c9e038f4ffca2c23bdb4288313c4cb65ffe55bacab
SSDEEP

768:U4lD80GLtVB8TCbH9PRwxAtz/MfHiedUYOTAhe9j/9V:UuD8LtVB80FOWtz/MvRO9jf

Score

10^/10

njrat byabolhb discovery trojan

Malware Config

Extracted

Family

njrat

Version

QUJPTEhC

Botnet

ByABOLHB

abolhb.com:505

Mutex

66f73d9b4e94d115b763eaa1ada7d1f1

Attributes

reg_key
66f73d9b4e94d115b763eaa1ada7d1f1
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2464 set thread context of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
2980	schtasks.exe
1280	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
320	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
Token: SeDebugPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe
Token: 33	320	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	320	RegSvcs.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2776	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	30
PID 2180 wrote to memory of 2776	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	30
PID 2180 wrote to memory of 2776	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	30
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 2180 wrote to memory of 320	2180	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	32
PID 1304 wrote to memory of 2464	1304	taskeng.exe	34
PID 1304 wrote to memory of 2464	1304	taskeng.exe	34
PID 1304 wrote to memory of 2464	1304	taskeng.exe	34
PID 2464 wrote to memory of 2980	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	35
PID 2464 wrote to memory of 2980	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	35
PID 2464 wrote to memory of 2980	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	35
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37
PID 2464 wrote to memory of 2580	2464	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
"C:\Users\Admin\AppData\Local\Temp\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N" /tr "C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:320

C:\Windows\system32\taskeng.exe
taskeng.exe {741C69A8-E444-4247-AD7A-140253660B4A} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
  C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N" /tr "C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
  C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
  2⤵
  PID:2964
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N" /tr "C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe

Filesize
40KB

MD5
b9dc64873f89fdd117a3d009ed7173f0

SHA1
04ceb5aff8161fadbc4998e1100c02cb291e689e

SHA256
eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96

SHA512
85ff98648dd389904ae03687fa6c40a891d5156697e2fb4f351b68906c8b07c9ed141f460ee32c20a4f7e7c9e038f4ffca2c23bdb4288313c4cb65ffe55bacab

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot.png

Filesize
64KB

MD5
e0d57fe1f8f2b1a6de9a0e8eeaf139f4

SHA1
ad09f2248575ded6a23f950e563d5c48dfae4e42

SHA256
a360dac8c1ff69274cb6cb56c1a399587d1bb9defc77fdbf4084fa7003cbd65a

SHA512
0e5141e2232916b3b4cb22bbb6f2aa5ed73ad284882b8424e765a45cbdd1f85bed8769ceeb63bb638c26502c2f291eb8f3c6c897637432355717169b36986f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot.png

Filesize
375KB

MD5
89e7d6635c19a7d41f6436883b26ee3c

SHA1
3a9d318929e2cf4777c0817230807b4b4f86bd57

SHA256
acc747790646cb934868e043a5c3d901b50ec87d570bfc825339eebdda8ef288

SHA512
8876413b4dbe8859863b7b8792b059b917d78a13b0783763540409e4030183d6294e95673bc83ff0c2b4181489259193606f48b17603689f9a18d4591147b5ff

Download Submit
memory/320-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/320-15-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/320-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/320-19-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2180-18-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/2180-14-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-1-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2464-23-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/2580-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads