njrat | e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

Analysis

max time kernel
308s
max time network
359s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/02/2025, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nkth.exe
Size

55KB
MD5

33644523cb6a6c01bbf2dd5c3a97aafc
SHA1

7fd0d35a09a32693d30ffdb49ecd69c1229d2a20
SHA256

e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45
SHA512

43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b
SSDEEP

1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 4 IoCs

pid	Process
1588	8bac46caf78049dc9740329a4628423a.COM
2756	MBR2.exe
2588	TROLL5.exe
1620	TROLL2.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	nkth.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nkth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe
Token: SeIncBasePriorityPrivilege	2876	nkth.exe
Token: 33	2876	nkth.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1588	2876	nkth.exe	32
PID 2876 wrote to memory of 1588	2876	nkth.exe	32
PID 2876 wrote to memory of 1588	2876	nkth.exe	32
PID 2876 wrote to memory of 1588	2876	nkth.exe	32
PID 1588 wrote to memory of 2756	1588	8bac46caf78049dc9740329a4628423a.COM	33
PID 1588 wrote to memory of 2756	1588	8bac46caf78049dc9740329a4628423a.COM	33
PID 1588 wrote to memory of 2756	1588	8bac46caf78049dc9740329a4628423a.COM	33
PID 1588 wrote to memory of 2588	1588	8bac46caf78049dc9740329a4628423a.COM	34
PID 1588 wrote to memory of 2588	1588	8bac46caf78049dc9740329a4628423a.COM	34
PID 1588 wrote to memory of 2588	1588	8bac46caf78049dc9740329a4628423a.COM	34
PID 1588 wrote to memory of 2588	1588	8bac46caf78049dc9740329a4628423a.COM	34
PID 1588 wrote to memory of 1620	1588	8bac46caf78049dc9740329a4628423a.COM	35
PID 1588 wrote to memory of 1620	1588	8bac46caf78049dc9740329a4628423a.COM	35
PID 1588 wrote to memory of 1620	1588	8bac46caf78049dc9740329a4628423a.COM	35
PID 1588 wrote to memory of 1620	1588	8bac46caf78049dc9740329a4628423a.COM	35

C:\Users\Admin\AppData\Local\Temp\nkth.exe
"C:\Users\Admin\AppData\Local\Temp\nkth.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\8bac46caf78049dc9740329a4628423a.COM
  "C:\Users\Admin\AppData\Local\Temp\8bac46caf78049dc9740329a4628423a.COM"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\MBR2.exe
    "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
    3⤵
    - Executes dropped EXE
    PID:2756
  - - C:\Windows\System32\MatrixMBR.exe
      "C:\Windows\System32\MatrixMBR.exe"
      4⤵
      PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\GDI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
        5⤵
        
        PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\MBR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
        5⤵
        
        PID:1968
- - C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
    "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
    "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
    3⤵
    - Executes dropped EXE
    PID:1620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GDI.exe

Filesize
11KB

MD5
c08ae6d9c6ecd7e13f827bf68767785f

SHA1
e71c2ec8d00c1e82b8b07baee0688b0a28604454

SHA256
e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

SHA512
c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
93KB

MD5
d2fc66cf781a2497fceb4041a93cc676

SHA1
480b1aa31b0b31fc0e0833afbba06533ab9a90ee

SHA256
acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

SHA512
6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR2.exe

Filesize
205KB

MD5
3dc0e225f886bae3b655cd9d738ed32f

SHA1
abda127fd477bd9d051cd57b16ac13f44030a9ae

SHA256
c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

SHA512
c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL2.exe

Filesize
105KB

MD5
52a2a5517deb1a06896891a35299ce20

SHA1
badcbdfef312bd71de997a7416ee20cee5d66af6

SHA256
dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

SHA512
7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL5.exe

Filesize
712KB

MD5
542a4e400ff233b21a1a3c27751ac783

SHA1
000a67f00b0003531d65a6ed6f16488ae5dcd0fe

SHA256
79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

SHA512
8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

Download Submit
C:\Windows\System32\MatrixMBR.exe

Filesize
250KB

MD5
24c441662c09b94e14a4096a8e59c316

SHA1
11576cad137bd8ed76efecd711c0390fe5c85292

SHA256
339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

SHA512
7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

Download Submit
\Users\Admin\AppData\Local\Temp\8bac46caf78049dc9740329a4628423a.COM

Filesize
921KB

MD5
d0ae6aea701de9f127f91e7efdb50252

SHA1
cb9ef64cbcb999372fb4046e99fe89a03df9bc81

SHA256
c1aeab35f61f12db28274d82713bff400b808625854a18e49504022f92805e31

SHA512
505d11808e9923ff0ec1a51acd51509711f8c5c42da81b47a97249954b06f6f45ddda4655446daeb7f231785cd484ebc6e9ada92b857ad3a8d7ce04276536f13

Download Submit
memory/1588-13-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1588-39-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1588-14-0x0000000000F50000-0x000000000103C000-memory.dmp

Filesize
944KB

Download
memory/1588-15-0x000000001B3E0000-0x000000001B4C4000-memory.dmp

Filesize
912KB

Download
memory/1588-16-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-48-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2144-60-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/2588-40-0x00000000012B0000-0x0000000001368000-memory.dmp

Filesize
736KB

Download
memory/2756-27-0x0000000000C30000-0x0000000000C6A000-memory.dmp

Filesize
232KB

Download
memory/2768-47-0x0000000000B20000-0x0000000000B66000-memory.dmp

Filesize
280KB

Download
memory/2876-6-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-0-0x0000000073E51000-0x0000000073E52000-memory.dmp

Filesize
4KB

Download
memory/2876-5-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-4-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-3-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-2-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-1-0x0000000073E50000-0x00000000743FB000-memory.dmp

Filesize
5.7MB

Download