njrat | eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
Size

40KB
MD5

b9dc64873f89fdd117a3d009ed7173f0
SHA1

04ceb5aff8161fadbc4998e1100c02cb291e689e
SHA256

eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96
SHA512

85ff98648dd389904ae03687fa6c40a891d5156697e2fb4f351b68906c8b07c9ed141f460ee32c20a4f7e7c9e038f4ffca2c23bdb4288313c4cb65ffe55bacab
SSDEEP

768:U4lD80GLtVB8TCbH9PRwxAtz/MfHiedUYOTAhe9j/9V:UuD8LtVB80FOWtz/MvRO9jf

Score

10^/10

njrat byabolhb discovery trojan

Malware Config

Extracted

Family

njrat

Version

QUJPTEhC

Botnet

ByABOLHB

abolhb.com:505

Mutex

66f73d9b4e94d115b763eaa1ada7d1f1

Attributes

reg_key
66f73d9b4e94d115b763eaa1ada7d1f1
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe

Executes dropped EXE 2 IoCs

pid	Process
2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 2960 set thread context of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 1380 set thread context of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3664	schtasks.exe
1432	schtasks.exe
2032	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
Token: SeDebugPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe
Token: 33	2212	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2212	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 3664	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	82
PID 512 wrote to memory of 3664	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	82
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 512 wrote to memory of 2212	512	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	84
PID 2960 wrote to memory of 1432	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	95
PID 2960 wrote to memory of 1432	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	95
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 2960 wrote to memory of 1176	2960	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	97
PID 1380 wrote to memory of 2032	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	99
PID 1380 wrote to memory of 2032	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	99
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101
PID 1380 wrote to memory of 3296	1380	eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
"C:\Users\Admin\AppData\Local\Temp\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N" /tr "C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N" /tr "C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1176

C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N" /tr "C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe

Filesize
40KB

MD5
b9dc64873f89fdd117a3d009ed7173f0

SHA1
04ceb5aff8161fadbc4998e1100c02cb291e689e

SHA256
eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96

SHA512
85ff98648dd389904ae03687fa6c40a891d5156697e2fb4f351b68906c8b07c9ed141f460ee32c20a4f7e7c9e038f4ffca2c23bdb4288313c4cb65ffe55bacab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eaf0ce2952eeefd83801294d40c16cdaf19ef02c6cc7e75e6d1c7712506dca96N.exe.log

Filesize
862B

MD5
fed7b5f63e32f0db8ec8d665d5fd1c6e

SHA1
2d8782df90b28b75a69e8ed78af035e33071ed3c

SHA256
59964b2f325a77285fd0c186fda9454654e666ad7a976997aa7ca168af3c42a3

SHA512
6c958e810c632d8f6d2450d0fb3baedb19d2a2ad89eceaf3133aee6e464d589b319ef6bb27baf30f44566db59dd2162fa28c349d84ff9fddeeb1718a4af28d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
14f6fe662bf38c2254ef2436b302b443

SHA1
aeffced8cf7f54bde0ca62425c3c40622502849e

SHA256
a18598afa05e33bda249b03c44b47893362cf9830567cbefef958e5cbc2c7b34

SHA512
b94d52ee359451331c184bf6d545a5d33a52511bf908ebeb648ac52ea71da628fddd174284a8c841dc729fd635eb9a12f76fdf5838794ee5d45d9a4220f53049

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenshot.png

Filesize
445KB

MD5
2a03da73528a23974cceac5b131bbc56

SHA1
978c404f06a50b3b3dd5eddf45b6cf57c98617ae

SHA256
9936d1164378375d64c5dc3b33526e92a4c1815690d73b63234ba13f7bad03bd

SHA512
59ec55e2ea8352a687d207c41e2d67c8617a9d44b9b97613d49686f40bcc361c54317e54f4666c2e6144afdf54162bad2485a762148b8831206d83db742c2d73

Download Submit
memory/512-0-0x00007FFD22063000-0x00007FFD22065000-memory.dmp

Filesize
8KB

Download
memory/512-1-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/512-5-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/512-6-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

Filesize
10.8MB

Download
memory/2212-10-0x0000000006790000-0x0000000006822000-memory.dmp

Filesize
584KB

Download
memory/2212-14-0x0000000006CB0000-0x0000000006D4C000-memory.dmp

Filesize
624KB

Download
memory/2212-15-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/2212-16-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/2212-17-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-9-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-8-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/2212-7-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/2212-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads