njrat | 83d1fdd6869066e5137c1e6143a643be25ef6339a4e4ef470ffe7678d75d4dbf

General

Target

448C39E12BBE57810E98D6628625B536.exe
Size

509KB
MD5

448c39e12bbe57810e98d6628625b536
SHA1

30d35d936577e137738f96bea180cf966d19964d
SHA256

83d1fdd6869066e5137c1e6143a643be25ef6339a4e4ef470ffe7678d75d4dbf
SHA512

463ecd73d9e2ad0088f8e12c111b77f9b6642e22184dfc87269b21c70fb68400072745d0c21d9ddfb4df82b30aea6941b3674f3dc4cf9a389399a7b4160e470f
SSDEEP

12288:FmsKpkF55OHTDPnDlJmzd4vYHD1s54xhn+KyGvXK06etO:FBFXOPDlJs2vYH+Y2GvXNF

Score

10^/10

njrat skype discovery execution trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

skype

C2

178.215.224.223:1985

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe
2932	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	448C39E12BBE57810E98D6628625B536.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	448C39E12BBE57810E98D6628625B536.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	448C39E12BBE57810E98D6628625B536.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2932	powershell.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe
Token: 33	2712	448C39E12BBE57810E98D6628625B536.exe
Token: SeIncBasePriorityPrivilege	2712	448C39E12BBE57810E98D6628625B536.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2480	848	448C39E12BBE57810E98D6628625B536.exe	28
PID 848 wrote to memory of 2480	848	448C39E12BBE57810E98D6628625B536.exe	28
PID 848 wrote to memory of 2480	848	448C39E12BBE57810E98D6628625B536.exe	28
PID 848 wrote to memory of 2480	848	448C39E12BBE57810E98D6628625B536.exe	28
PID 848 wrote to memory of 2932	848	448C39E12BBE57810E98D6628625B536.exe	30
PID 848 wrote to memory of 2932	848	448C39E12BBE57810E98D6628625B536.exe	30
PID 848 wrote to memory of 2932	848	448C39E12BBE57810E98D6628625B536.exe	30
PID 848 wrote to memory of 2932	848	448C39E12BBE57810E98D6628625B536.exe	30
PID 848 wrote to memory of 2952	848	448C39E12BBE57810E98D6628625B536.exe	31
PID 848 wrote to memory of 2952	848	448C39E12BBE57810E98D6628625B536.exe	31
PID 848 wrote to memory of 2952	848	448C39E12BBE57810E98D6628625B536.exe	31
PID 848 wrote to memory of 2952	848	448C39E12BBE57810E98D6628625B536.exe	31
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34
PID 848 wrote to memory of 2712	848	448C39E12BBE57810E98D6628625B536.exe	34

C:\Users\Admin\AppData\Local\Temp\448C39E12BBE57810E98D6628625B536.exe
"C:\Users\Admin\AppData\Local\Temp\448C39E12BBE57810E98D6628625B536.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\448C39E12BBE57810E98D6628625B536.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sVNDJNRP.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sVNDJNRP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp205C.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\448C39E12BBE57810E98D6628625B536.exe
  "C:\Users\Admin\AppData\Local\Temp\448C39E12BBE57810E98D6628625B536.exe"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp205C.tmp

Filesize
1KB

MD5
2a55880e29c40d16e62a894c270b7c08

SHA1
5d6179e7acd13a4e5108fea17ba22bc94eee6867

SHA256
2b27e77828e6940c578bd1323a63f877fd49cc8e61b675cd2de1f495d6431324

SHA512
0bbcc2d9556e84eeac6349de432c0f7e05e4ad2111f8f45b809c981efc87793a37b44fcadfac6ae6e0db9d9a3b3a9a308edc33b8bc0b1f7b11712cd9e8c82d97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bc62eef18b8ca0262883c901163fe4bf

SHA1
ace7fecb75fe011638f723545d21bc9db310a732

SHA256
cb6c971de6d08aeed7fed2039ebd86b94b5dec2efc27cad740793218281b5857

SHA512
7536cd16959fdc36cddb381e8f8b92cb9065d8437f0166ecaedeb7c2a735e0d0bb23dc27af9c2451cac8faf5e18fe679284459a112569b053ecbeca3121968a5

Download Submit
memory/848-4-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/848-31-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/848-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/848-5-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/848-6-0x0000000004700000-0x0000000004752000-memory.dmp

Filesize
328KB

Download
memory/848-2-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/848-1-0x00000000000F0000-0x0000000000174000-memory.dmp

Filesize
528KB

Download
memory/848-3-0x0000000000910000-0x0000000000928000-memory.dmp

Filesize
96KB

Download
memory/2712-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2712-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2712-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2712-28-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2712-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2712-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2712-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads