Overview

overview

10

Static

static

3

RootRAT.rar

windows7-x64

10

RootRAT.rar

windows10-2004-x64

8

RootRAT/Pl...am.dll

windows7-x64

3

RootRAT/Pl...am.dll

windows10-2004-x64

8

RootRAT/Plugin/ch.dll

windows7-x64

1

RootRAT/Plugin/ch.dll

windows10-2004-x64

8

RootRAT/Pl...ic.dll

windows7-x64

1

RootRAT/Pl...ic.dll

windows10-2004-x64

8

RootRAT/Pl...lg.dll

windows7-x64

3

RootRAT/Pl...lg.dll

windows10-2004-x64

8

RootRAT/Plugin/pw.dll

windows7-x64

3

RootRAT/Plugin/pw.dll

windows10-2004-x64

8

RootRAT/Pl...c2.dll

windows7-x64

1

RootRAT/Pl...c2.dll

windows10-2004-x64

8

RootRAT/Stub.ps1

windows7-x64

3

RootRAT/Stub.ps1

windows10-2004-x64

8

RootRAT/WinMM.Net.dll

windows7-x64

1

RootRAT/WinMM.Net.dll

windows10-2004-x64

8

RootRAT/nj...og.rtf

windows7-x64

4

RootRAT/nj...og.rtf

windows10-2004-x64

8

Resubmissions

14-02-2025 19:38

250214-ycpdzsxmck 10

14-02-2025 19:38

250214-ycd81sxqav 8

14-02-2025 19:35

250214-yanpnsxlhn 10

Analysis

  • max time kernel
    119s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2025 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RootRAT.rar

  • Size

    8.7MB

  • MD5

    3001959ffa3eb5d7a2137ed8c6742220

  • SHA1

    fcf3527d9acb615d87d7f755775c9a11ea5856c9

  • SHA256

    ee21f7603068571e079668c4db4fc4b71e52e4056de57475a4de0e9a69dc1c39

  • SHA512

    3880eab40cb28c64591d57989fa09bb112416031b3fb39c8bf71429efdd4ceb9b91a7cf18d4aff5a6e53bd1d70c6483b2680a33496fbc416316379e478689eb1

  • SSDEEP

    196608:u3zbdzrRceeFK4JJU5KUhAu/aF6EfGcTwZJThYjBOKvjXi5GTYSyKirX:udrCrK7KUhA0VcTeTuXW5GcS6

Score
10/10
njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

8988c269b68aec59915e8fac0e1480d5

Attributes
  • reg_key

    8988c269b68aec59915e8fac0e1480d5

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 39 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RootRAT.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2600
  • C:\Users\Admin\Desktop\RootRAT\яσσтRAT.exe
    "C:\Users\Admin\Desktop\RootRAT\яσσтRAT.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\RootRAT\Server.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1228
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\Server.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2512
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x418
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2292
  • C:\Users\Admin\Desktop\Server.exe
    "C:\Users\Admin\Desktop\Server.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\stub.il
    Filesize

    228KB

    MD5

    0d71a33d82808d0e904ddd582ef8a39d

    SHA1

    c3af0df453609c212e1f8324752d367bdec6d3d8

    SHA256

    fd680d3cbf43271433c8406e3a830389d8875f83534059d5bba152e5228fbacb

    SHA512

    94cdaaa9942205212a50d273cfb4aa5b59672ef71d2c850625621d3f52a185c2f4b55fbb50c9989f2029dec0b5b65aa3323b42b946acf6d8eb9f80db3500648d

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\GeoIP.dat
    Filesize

    1.2MB

    MD5

    797b96cc417d0cde72e5c25d0898e95e

    SHA1

    8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13

    SHA256

    8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426

    SHA512

    9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\Server.exe
    Filesize

    22KB

    MD5

    d1059a5e4e35951a885fdd075fabb0d8

    SHA1

    2592ca4f5fb301c7fcaf5101aa352f11916988cb

    SHA256

    dca12aa6eccc2802a9c2053fc4cb65167b62624d15a10588959a6f82c25065bb

    SHA512

    dd00e3719ab36cfcb1a7f0ba2905735d54dddb491b48101f639bab25f97d3ad10f2e80562618dcbc80beabc45123e60d4a909aaa179289e9b2a6ff793ea0c54a

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\Stub.il
    Filesize

    228KB

    MD5

    2041e64bffccfbc9379235fdf294f188

    SHA1

    19c1fd78e8f36493e2a9b1c0e437afc2416586f8

    SHA256

    daa4362a762a472f717a480102883382b41dc5c17484f649272c5bdb5142917c

    SHA512

    c5d5be4615767483432287d3486e805d6744d45a5eac6445cef87ce1e8475bcdbb521dcd8d1c7918d8d73d6634617842b67290bc4fb734a4ab31dfe7daaaec13

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\Stub.manifest
    Filesize

    487B

    MD5

    4d18ac38a92d15a64e2b80447b025b7e

    SHA1

    5c34374c2dd5afa92e0489f1d6f86dde616aca6c

    SHA256

    835a00d6e7c43db49ae7b3fa12559f23c2920b7530f4d3f960fd285b42b1efb5

    SHA512

    72be79acd72366b495e0f625a50c9bdf01047bcf5f9ee1e3bdba10dab7bd721b0126f429a91d8c80c2434e8bc751defdf4c05bdc09d26a871df1bb2e22e923bf

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\WinMM.Net.dll
    Filesize

    43KB

    MD5

    d4b80052c7b4093e10ce1f40ce74f707

    SHA1

    2494a38f1c0d3a0aa9b31cf0650337cacc655697

    SHA256

    59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46

    SHA512

    3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\plugin\cam.dll
    Filesize

    63KB

    MD5

    a73edb60b80a2dfa86735d821bea7b19

    SHA1

    f39a54d7bc25425578a2b800033e4508714a73ed

    SHA256

    7a4977b024d048b71bcc8f1cc65fb06e4353821323f852dc6740b79b9ab75c98

    SHA512

    283e9206d0b56c1f8b0741375ccd0a184410cf89f5f42dfe91e7438c5fd0ac7fa4afbb84b8b7ea448b3093397552fd3731b9be74c67b846d946da486dcf0df68

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\plugin\ch.dll
    Filesize

    12KB

    MD5

    e747fa3339c1f138b6bfce707b541d03

    SHA1

    b95c54fbd6eb20ba4b4e69736b574baa2699ab8e

    SHA256

    6e31148cc1b3235b71731c3944a7b06f861e104e978708d12c695ec09b5b3760

    SHA512

    b970c3e8bf6a2e3ae920bc8bd014edb86ca92c85a2bccff732c7e5eb2f81ffbd902a34a0a68bd51545954b5f4d6dd1bb84b5c005868c0659717eba2892a67355

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\plugin\mic.dll
    Filesize

    50KB

    MD5

    d4c5ddc00f27162fc0947830e0e762b7

    SHA1

    7769be616d752e95d80e167f2ef4cc6b8c3c21fe

    SHA256

    b6fb6b66821e70a27a4750b0cd0393e4ee2603a47feac48d6a3d66d1c1cb56d5

    SHA512

    9555f800213f2f4a857b4558aa4d030edf41485b8366812d5a6b9adcc77fc21584e30d2dd9ce515846f3a809c85038958cb8174bf362cf6fed97ca99a826e379

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\plugin\plg.dll
    Filesize

    28KB

    MD5

    0cbc2d9703feead9783439e551c2b673

    SHA1

    4f8f4addd6f9e60598a7f4a191a89a52201394a8

    SHA256

    ea9ecf8723788feef6492bf938cdfab1266a1558dffe75e1f78a998320f96e39

    SHA512

    06f55b542000e23f5eeba45ea5ff9ffaddddd102935e039e4496af5e5083f257129dab2f346eeae4ee864f54db57d3c73cf6ed1d3568087411203769cf0ddd66

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\plugin\pw.dll
    Filesize

    251KB

    MD5

    872401528fc94c90f3de6658e776cc36

    SHA1

    c58e22158774d16831350de79eb4e1711379e8a6

    SHA256

    3a1cc072effd8c38406a6fddf4d8f49c5366bb0e32071311d90db669940987ce

    SHA512

    6da881fb968ba9d9200777a9f19d69220468482f3eaaf687c433790d512da520f5adb23441fdc8f3fd10785918eb2864ea3ef32ddb80d2f6665550ea455f4a2f

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\plugin\sc2.dll
    Filesize

    12KB

    MD5

    19967e886edcd2f22f8d4a58c8ea3773

    SHA1

    bf6e0e908eaad659fdd32572e9d73c5476ca26ec

    SHA256

    3e5141c75b7746c0eb2b332082a165deacb943cef26bd84668e6b79b47bdfd93

    SHA512

    d471df3f0d69909e8ef9f947da62c77c3ff1eb97ac1dd53a74ad09fb4d74ec26c3c22facc18ec04f26df3b85b0c70863119f5baa090b110ab25383fcdb4e9d6e

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\яσσтRAT.exe
    Filesize

    9.1MB

    MD5

    5923ef643ff81041a0815d85478f43aa

    SHA1

    8c9437a33483fa8d4f57322a151f0b6d53db66ea

    SHA256

    083bf37b0f269e93b31ff96a9d2332cfca02586519724c477193277c4532212b

    SHA512

    24b6e40fec7c6236ff4824b8506c77c59f32cbf3fc665967654e3da0ef33ed1511ad230b68d2a061b9d21fe108e9c642e589d735e2727f1046ca736946ceda25

    Download Submit

  • C:\Users\Admin\Desktop\RootRAT\яσσтRAT.exe.config
    Filesize

    1KB

    MD5

    da15a1d8d770b57356ddd384342b3034

    SHA1

    b03d6cb907c139492c7b914147a498b31ef839fd

    SHA256

    c45c9d1d30f940289498be2af978d74178a5c24ceb7755c2648f6c7a89353813

    SHA512

    3cf7dd0d14244c543e3442873ce7e495ade87ad906a42d53f3b38180ffc453bd74ae022b91306445d359475dbee4caa1514c4e913e823d174b8470b45fed7cfc

    Download Submit

  • C:\Users\Admin\Desktop\Server.exe
    Filesize

    22KB

    MD5

    1f4282d5d13c70b037e338ce06dca52a

    SHA1

    d8b5bfe641572e4d9f5661e24398a4b6cbb460b9

    SHA256

    0978ba313b418aff7144d646c9d1abc4a02936fb92b8e797414bb26da5ed4648

    SHA512

    93b187438c84027de4ad1a8ae9fdad81d293c46698ee4718c52c7c1164969d0fe8373886fd536d976074f6682c27018cb36baf902730106ba6a5dcd349b790e2

    Download Submit

  • memory/2692-57-0x000000000B7A0000-0x000000000B7A2000-memory.dmp

    Filesize

    8KB

    Download