njrat | 138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e

General

Target

138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e.exe
Size

1.1MB
MD5

1f15727756acb812463a6030194dd0a5
SHA1

50f2654ebcc03db57fa562d163fde15a472ff6cb
SHA256

138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e
SHA512

85de789a6a1784a52a739a21e3cd1350242de0630c26d04978bc6b8be760fc7dd4d0775d3503169410d4b5e1882c69d7fa3ce8dc9111e36148e3c9ac8147ec89
SSDEEP

24576:tf30T0Ai5fKiCsfs4UjZgjRqu+I9M14VBUR:13Pof1KquTPVBU

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

HacKed

C2

rapist.ddns.net:444

Mutex

8f2448f1f018757367d8a7d97c8d877e

Attributes

reg_key
8f2448f1f018757367d8a7d97c8d877e
splitter
boolLove

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0003000000018334-4.dat	net_reactor

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f2448f1f018757367d8a7d97c8d877e.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f2448f1f018757367d8a7d97c8d877e.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2700	LocalCcNggpJtFV.exe
1620	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe
Token: 33	1620	svchost.exe
Token: SeIncBasePriorityPrivilege	1620	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2700	2536	138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e.exe	30
PID 2536 wrote to memory of 2700	2536	138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e.exe	30
PID 2536 wrote to memory of 2700	2536	138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e.exe	30
PID 2700 wrote to memory of 1620	2700	LocalCcNggpJtFV.exe	32
PID 2700 wrote to memory of 1620	2700	LocalCcNggpJtFV.exe	32
PID 2700 wrote to memory of 1620	2700	LocalCcNggpJtFV.exe	32

C:\Users\Admin\AppData\Local\Temp\138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e.exe
"C:\Users\Admin\AppData\Local\Temp\138c8efb54944bf084d2a0e607593a84e0933f8fcd251713a37c49e175cec74e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\LocalCcNggpJtFV.exe
  "C:\Users\Admin\AppData\LocalCcNggpJtFV.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalCcNggpJtFV.exe

Filesize
896KB

MD5
e8f1afd74f49f59ff6d9633172246901

SHA1
7e1a3b1988ab7bb01dedea5dd722415fd658a2f1

SHA256
3c129c881f3a3c7db39874c2ddc927300910b262e895b8c6195fbe6f24569bee

SHA512
856363200dc15170cd81c0327f3f4eea4c9b327730ba7a76f56182d43dc973b0dacb8908be019f95f34eb2306ac2a125ef2387aa784ed9c5cdd3099184becf0c

Download Submit
memory/2536-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-7-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/2536-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-0-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/2700-11-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2700-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-12-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-13-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2700-14-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-15-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2700-16-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-22-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing