njrat | e5cf853398bcdd00fa6925a007cb7683e61d35c11ec641da44c419fd66d66dab

General

Target

ef12eb5be4046a8d70e864d3b623bb2d.exe
Size

6.6MB
MD5

ef12eb5be4046a8d70e864d3b623bb2d
SHA1

cf28f12a882cd8dfa1b280c2254013a7908d1984
SHA256

e5cf853398bcdd00fa6925a007cb7683e61d35c11ec641da44c419fd66d66dab
SHA512

89c7b5eb7170c58d80b893cbe4e65556f6b8a640321fe390c8c3acd13e2ae786ea9462a6b1db8342fbc107e1575a7dd84051f2aefd6baf94be360bf818d68d4d
SSDEEP

196608:fGiGxbAQ5owejuJDUX47dwdW0LBTYPERR:+xCaUX47d4xZ

Score

10^/10

njrat -defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

-

C2

5.tcp.eu.ngrok.io:15938

Mutex

76f76913a3057d2193e27e6377b7ae49

Attributes

reg_key
76f76913a3057d2193e27e6377b7ae49
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2200	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	INST.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76f76913a3057d2193e27e6377b7ae49.exe	Discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76f76913a3057d2193e27e6377b7ae49.exe	Discord.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	INST.exe
1496	Discord.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	ef12eb5be4046a8d70e864d3b623bb2d.exe
2120	ef12eb5be4046a8d70e864d3b623bb2d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\76f76913a3057d2193e27e6377b7ae49 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord.exe\" .."	Discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\76f76913a3057d2193e27e6377b7ae49 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord.exe\" .."	Discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
87	5.tcp.eu.ngrok.io
22	5.tcp.eu.ngrok.io
54	5.tcp.eu.ngrok.io
69	5.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe
Token: 33	1496	Discord.exe
Token: SeIncBasePriorityPrivilege	1496	Discord.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2120	2832	ef12eb5be4046a8d70e864d3b623bb2d.exe	83
PID 2832 wrote to memory of 2120	2832	ef12eb5be4046a8d70e864d3b623bb2d.exe	83
PID 2120 wrote to memory of 3684	2120	ef12eb5be4046a8d70e864d3b623bb2d.exe	84
PID 2120 wrote to memory of 3684	2120	ef12eb5be4046a8d70e864d3b623bb2d.exe	84
PID 2120 wrote to memory of 4284	2120	ef12eb5be4046a8d70e864d3b623bb2d.exe	85
PID 2120 wrote to memory of 4284	2120	ef12eb5be4046a8d70e864d3b623bb2d.exe	85
PID 4284 wrote to memory of 1500	4284	cmd.exe	86
PID 4284 wrote to memory of 1500	4284	cmd.exe	86
PID 4284 wrote to memory of 1500	4284	cmd.exe	86
PID 1500 wrote to memory of 1496	1500	INST.exe	90
PID 1500 wrote to memory of 1496	1500	INST.exe	90
PID 1500 wrote to memory of 1496	1500	INST.exe	90
PID 1496 wrote to memory of 2200	1496	Discord.exe	95
PID 1496 wrote to memory of 2200	1496	Discord.exe	95
PID 1496 wrote to memory of 2200	1496	Discord.exe	95

C:\Users\Admin\AppData\Local\Temp\ef12eb5be4046a8d70e864d3b623bb2d.exe
"C:\Users\Admin\AppData\Local\Temp\ef12eb5be4046a8d70e864d3b623bb2d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\ef12eb5be4046a8d70e864d3b623bb2d.exe
  "C:\Users\Admin\AppData\Local\Temp\ef12eb5be4046a8d70e864d3b623bb2d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c echo %temp%
    3⤵
    PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\INST.exe
      C:\Users\Admin\AppData\Local\Temp\INST.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Discord.exe" "Discord.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
37KB

MD5
e15f1ae07241a0e093f2fc79dc218011

SHA1
78ca680266cdc6ebdf880be1a495ec551921320f

SHA256
f88d09ebfce239bf3bcc4aaf30da363d3ae1fe938a7877af241884f63385c3aa

SHA512
f6ca9c285ac1071e721478fa21a1ec128117bad47b6e7daa3703223de2b582391c42ba83b8ed2a906470307eda70f6657055f6d153dacebfc89df5bc47604cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28322\base_library.zip

Filesize
1.7MB

MD5
948430bbba768d83a37fc725d7d31fbb

SHA1
e00d912fe85156f61fd8cd109d840d2d69b9629b

SHA256
65ebc074b147d65841a467a49f30a5f2f54659a0cc5dc31411467263a37c02df

SHA512
aad73403964228ed690ce3c5383e672b76690f776d4ff38792544c67e6d7b54eb56dd6653f4a89f7954752dae78ca35f738e000ffff07fdfb8ef2af708643186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28322\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
memory/1496-35-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1496-36-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1496-48-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-22-0x00000000745F2000-0x00000000745F3000-memory.dmp

Filesize
4KB

Download
memory/1500-23-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-24-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-34-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads