Overview

overview

10

Static

static

3

69eede8d58...5e.exe

windows7-x64

10

69eede8d58...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-02-2025 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69eede8d58d95ddb8c081d88e6bd795e.exe

  • Size

    1.5MB

  • MD5

    69eede8d58d95ddb8c081d88e6bd795e

  • SHA1

    afaba911b01704e5bd2f7100143fb45c4d11a48a

  • SHA256

    2395de00a23d65cb4eb0805b96fb8f326f5045413b0d19185727e302b0133bcf

  • SHA512

    34ea399a06a26ccd96a46daa45fad419acb51a02fe2e8154dc1b816378c3f5abb2a730ac66131857d53e575d7d49db95664a91c1ec246e8861db35ab05f1fb40

  • SSDEEP

    24576:NLllLl72qXJMqgzokSg5gOvCXZnx6dmZQSe4mLe+npOebr9UnJpE02+VrMnA5OR9:VllLXX8zxS8vC9xMmZXZCoemJgaHUu3E

Score
10/10
njrathackeddiscoverypersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

6.tcp.eu.ngrok.io:12482

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69eede8d58d95ddb8c081d88e6bd795e.exe
    "C:\Users\Admin\AppData\Local\Temp\69eede8d58d95ddb8c081d88e6bd795e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Users\Admin\AppData\Local\Temp\1.exe
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
          "C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1624
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0746A4A4-E059-4E64-AB4C-E05302D4BE28} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2212
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\1.exe
    Filesize

    1.1MB

    MD5

    9538ccba5bf23fbe2fe6cb55134115f0

    SHA1

    ebe0fdfc37c9d1fdc9ae4680be07304686652517

    SHA256

    6a0de7405e10bff84a86904e74e54c9dc454e37771e537807a099c68aa789e19

    SHA512

    1e61dfc7531d1e1b744135c86673ee31764b5053c2c13e844a4811c35d9c519c0ec47a0934624f19c145955c1314e75a259bd7ea9c338d2396534a3ac18f95ec

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2.exe
    Filesize

    1.3MB

    MD5

    beb4158f926fa62add213916710bed6e

    SHA1

    4dce87b0b232e7f7be78602bfcd5f4c82ec8fb3d

    SHA256

    f9fa9be7b25ed5ae530162b5494c4076e73259de9673cfbe280bed647500fdbc

    SHA512

    0d6b2a68479a2d1dbc5dad27edb50b9c35f720a2fab4779c600ef91f9222c501f12ce0730522abeef38a60935b2e5376a2b17db6bf6161b975cf1d8fc83a4d18

    Download Submit

  • memory/608-68-0x0000000000BC0000-0x0000000000F36000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/608-65-0x0000000000BC0000-0x0000000000F36000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/608-64-0x0000000000BC0000-0x0000000000F36000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2212-54-0x0000000000330000-0x00000000006A6000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2212-57-0x0000000000330000-0x00000000006A6000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2212-53-0x0000000000330000-0x00000000006A6000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2560-26-0x00000000035D0000-0x0000000003946000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2788-29-0x00000000000F0000-0x0000000000466000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2788-40-0x00000000000F0000-0x0000000000466000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2788-31-0x00000000000F0000-0x0000000000466000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2812-42-0x0000000000AE0000-0x0000000000E56000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2812-41-0x0000000000AE0000-0x0000000000E56000-memory.dmp

    Filesize

    3.5MB

    Download