njrat | c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669

General

Target

c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe
Size

63KB
MD5

77d4c97adec12a2bc31e14482231036d
SHA1

ec2082e39537ff8633585faf03a510264eb14b69
SHA256

c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669
SHA512

90d15de3d731912c60ba38b390807063b77df75a0a0442f9072b951794b5c4217c8b7601dbf8a905bac9ea53e734015957c2c347cb7f35a9848f73179dbc3ba5
SSDEEP

1536:G3GNisbcrQ3KXyV+LKhpadsNbRPLN8GQhTUVYC3EWz:bN0r3XyamrNdPR8GcYEWz

Score

10^/10

njrat mourad discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Mourad

C2

halimoullah.no-ip.org:1234

Mutex

0e38f0c0b1d3bb006f8fbc6faf254716

Attributes

reg_key
0e38f0c0b1d3bb006f8fbc6faf254716
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2124	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2124	AcroRd32.exe
2124	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2540	2592	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe	30
PID 2592 wrote to memory of 2540	2592	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe	30
PID 2592 wrote to memory of 2540	2592	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe	30
PID 2592 wrote to memory of 2540	2592	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe	30
PID 2592 wrote to memory of 2540	2592	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe	30
PID 2592 wrote to memory of 2540	2592	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe	30
PID 2592 wrote to memory of 2540	2592	c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe	30
PID 2540 wrote to memory of 2124	2540	rundll32.exe	31
PID 2540 wrote to memory of 2124	2540	rundll32.exe	31
PID 2540 wrote to memory of 2124	2540	rundll32.exe	31
PID 2540 wrote to memory of 2124	2540	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe
"C:\Users\Admin\AppData\Local\Temp\c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\chrome.eexe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\chrome.eexe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ecfdf0a3e43630a9c96dcf3efebf76c1

SHA1
e8070490e7e59aa5e2f0370f386be1f2aa329dc6

SHA256
9e5288104cfe7772b04420ec5d481f4ea142ca1172c02f76c84afcddb2a197bd

SHA512
2e074c9db494ef51f705433f33115b9512830581279010d571915397f44e2e025431223d4357472bff70fbe8d16aa69533a4ca601c4336d57bfe277102d3779a

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.eexe

Filesize
63KB

MD5
77d4c97adec12a2bc31e14482231036d

SHA1
ec2082e39537ff8633585faf03a510264eb14b69

SHA256
c244bb2feb841188f383f4f5c0c2f5b6544808168f2f2ceaadf3eaefeeecd669

SHA512
90d15de3d731912c60ba38b390807063b77df75a0a0442f9072b951794b5c4217c8b7601dbf8a905bac9ea53e734015957c2c347cb7f35a9848f73179dbc3ba5

Download Submit
memory/2592-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/2592-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2592-2-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2592-3-0x00000000007B0000-0x00000000007CC000-memory.dmp

Filesize
112KB

Download
memory/2592-4-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-6-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing