njrat | 3eeedb97ac9a8cc70f5ce4de874670603c11518250ffb3e1e5e9f485b8de640f

General

Target

Payload.exe
Size

55KB
MD5

0aa0d54c852edc70645d3283c38d4248
SHA1

90e62a41ac7f38e8d4cfca9bee412f6f155a2ce5
SHA256

3eeedb97ac9a8cc70f5ce4de874670603c11518250ffb3e1e5e9f485b8de640f
SHA512

b2994209bdca0f3899470b11374ad674d8f34454406d1b55946fc092543852c60fcafdd2eacde85030953a875da8172c3f6ece0efcbdbda1aea8d0e7267bfbad
SSDEEP

1536:kqBLcDnCN6FikSJDOwsNMD2XExI3pmTm:xcDn7MBJDOwsNMD2XExI3pm

Score

10^/10

njrat victim discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

fat-pads.gl.at.ply.gg:35059

Mutex

e564aa028dc627deeaa119b78ed54d5e

Attributes

reg_key
e564aa028dc627deeaa119b78ed54d5e
splitter
Y262SUCZ4UJJ

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e564aa028dc627deeaa119b78ed54d5e.exe	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e564aa028dc627deeaa119b78ed54d5e.exe	dllhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	Payload.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\e564aa028dc627deeaa119b78ed54d5e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e564aa028dc627deeaa119b78ed54d5e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .."	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe
Token: 33	2900	dllhost.exe
Token: SeIncBasePriorityPrivilege	2900	dllhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2900	2888	Payload.exe	30
PID 2888 wrote to memory of 2900	2888	Payload.exe	30
PID 2888 wrote to memory of 2900	2888	Payload.exe	30
PID 2888 wrote to memory of 2900	2888	Payload.exe	30

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
55KB

MD5
0aa0d54c852edc70645d3283c38d4248

SHA1
90e62a41ac7f38e8d4cfca9bee412f6f155a2ce5

SHA256
3eeedb97ac9a8cc70f5ce4de874670603c11518250ffb3e1e5e9f485b8de640f

SHA512
b2994209bdca0f3899470b11374ad674d8f34454406d1b55946fc092543852c60fcafdd2eacde85030953a875da8172c3f6ece0efcbdbda1aea8d0e7267bfbad

Download Submit
memory/2888-0-0x0000000073F01000-0x0000000073F02000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-11-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-10-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-12-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-14-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-15-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-16-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-17-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-18-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads