njrat | 4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b

General

Target

4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe
Size

564KB
MD5

c709aa33c0165cebde24123555769a7a
SHA1

ad4813cd0461fbdbc7265dc7880e22978ffc7b54
SHA256

4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b
SHA512

ccd0ffc52ed12a4f2e74a0aef982dbd67b271412102e2373e07f24142560e0a0006d60166b1ba789bbb8745067c2d50e3e822f3355bdff2c52d22444151ab7eb
SSDEEP

12288:6yB0aI78IV40HioBu3yCeOr0rS6KsXr7ieWCU:BB07EyCTr0rFf7aC

Score

10^/10

njrat hacked defense_evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

cpanel.hackcrack.io:2222

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2020	netsh.exe

Executes dropped EXE 6 IoCs

pid	Process
2568	Setup.exe
2548	Setup.exe
1664	Mullvad.Checker .exe
2828	svchost.exe
1864	explorer.exe
2984	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe
2852	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe
Token: 33	2984	explorer.exe
Token: SeIncBasePriorityPrivilege	2984	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2568	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	29
PID 1056 wrote to memory of 2568	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	29
PID 1056 wrote to memory of 2568	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	29
PID 1056 wrote to memory of 2548	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	30
PID 1056 wrote to memory of 2548	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	30
PID 1056 wrote to memory of 2548	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	30
PID 1056 wrote to memory of 1664	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	31
PID 1056 wrote to memory of 1664	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	31
PID 1056 wrote to memory of 1664	1056	4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe	31
PID 2548 wrote to memory of 2828	2548	Setup.exe	33
PID 2548 wrote to memory of 2828	2548	Setup.exe	33
PID 2548 wrote to memory of 2828	2548	Setup.exe	33
PID 2828 wrote to memory of 1864	2828	svchost.exe	34
PID 2828 wrote to memory of 1864	2828	svchost.exe	34
PID 2828 wrote to memory of 1864	2828	svchost.exe	34
PID 1864 wrote to memory of 2984	1864	explorer.exe	35
PID 1864 wrote to memory of 2984	1864	explorer.exe	35
PID 1864 wrote to memory of 2984	1864	explorer.exe	35
PID 2984 wrote to memory of 2020	2984	explorer.exe	36
PID 2984 wrote to memory of 2020	2984	explorer.exe	36
PID 2984 wrote to memory of 2020	2984	explorer.exe	36

C:\Users\Admin\AppData\Local\Temp\4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe
"C:\Users\Admin\AppData\Local\Temp\4314ab3773ddf65e9a290d0889bb09d57fb4968ca49522453e5c9b92ef32f40b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\system32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2020
- C:\Users\Admin\AppData\Local\Temp\Mullvad.Checker .exe
  "C:\Users\Admin\AppData\Local\Temp\Mullvad.Checker .exe"
  2⤵
  - Executes dropped EXE
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
375KB

MD5
8e4f8329f0837d6a3801dd96973a05fe

SHA1
7309226e370a33000c08653504f2ac5786944b2b

SHA256
0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

SHA512
9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
355KB

MD5
f41a73cdd753f77e4da0a16b131d67dd

SHA1
d213d85d0d8d39a2775549b2495680a789e981d8

SHA256
dff8e155e78054e4be440619c04f0bd64613ae8dbdd5f8d3ffa3a0f7a9f78ed2

SHA512
58384b24d9e2620295363db801923e7f34d92297ba57d3eed51adb5c195b5dc4eecb37403c9f06ac92e86d27cf853e56fd44c48562bdb69dea6aa78b216c6c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
252KB

MD5
e5d01a5a8cc5c5ca9a5329459814c91a

SHA1
00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

SHA256
612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

SHA512
2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

Download Submit
\Users\Admin\AppData\Local\Temp\Mullvad.Checker .exe

Filesize
139KB

MD5
ea0d62cc90eea87352e272bea77b97e2

SHA1
429d582e0f294ade34084a4eafe472fb97c31013

SHA256
8a187dd1b587c6d8ef942c4ddc32f1cb14ae0894c0943286cb3f74386d27dc04

SHA512
4de7c405ef263eca0a1e9ad7ba74a04c8ace55935031bb18689ed5a7aa5290c32e30908852ccbb1121b1f3038eaec94f35db82b05e9426ea05c76de0f9ff2068

Download Submit
memory/1056-0-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/1056-1-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1056-2-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1056-23-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1864-40-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2568-21-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2568-29-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads