njrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
Size

587KB
MD5

58388ff123bd5e52aa3e7fa34cfa8a7f
SHA1

6b43aa7430ad9e446acf2f8d04ecb8f6b6eaa4c5
SHA256

3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c
SHA512

a4b5405d5e0c4f555e151c207c2d6d38e52b3dc3c59f3629729cec2578dc0426621b8f321ce770e69270e974e1d96f6eacc6d38d2f9b89c6aed4ed4ce397a991
SSDEEP

12288:tZFFZDJe6R3dvAheWxnMbbY1wLBuYEAmDUDAc5c:tZnR3ROWblBuYVD

Score

10^/10

njrat lammer discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

Mutex

8f04f9cf1cb0a66772ec936fb174701b

Attributes

reg_key
8f04f9cf1cb0a66772ec936fb174701b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2688	Trojan.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2108	AcroRd32.exe
2108	AcroRd32.exe
2108	AcroRd32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2108	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	30
PID 2040 wrote to memory of 2108	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	30
PID 2040 wrote to memory of 2108	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	30
PID 2040 wrote to memory of 2108	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	30
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2040 wrote to memory of 2368	2040	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	31
PID 2368 wrote to memory of 2688	2368	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	33
PID 2368 wrote to memory of 2688	2368	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	33
PID 2368 wrote to memory of 2688	2368	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	33
PID 2368 wrote to memory of 2688	2368	3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe	33

C:\Users\Admin\AppData\Local\Temp\3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
"C:\Users\Admin\AppData\Local\Temp\3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Proposta.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
  "C:\Users\Admin\AppData\Local\Temp\3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Roaming\Trojan.exe
    "C:\Users\Admin\AppData\Roaming\Trojan.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
699abbb3e5345bd8c94022e2b7ad326d

SHA1
ede415618d613acf06a04cc867784cd3aadbc07d

SHA256
cd597b5280a854fe29c73a29b26e01f3aa73ea26554b29cc7364460c18359d0b

SHA512
365fa0897fe122b729b756b7d47d97e49c5981cd92046bec3d442a06bc70087cbdebd8a515f214e52b7cc3535cd261f6d0040ff72584bc5c42e5f3475b032def

Download Submit
C:\Users\Admin\AppData\Roaming\Proposta.pdf

Filesize
210KB

MD5
11dd9b4f7e3b192fb7b570a1dd587945

SHA1
0696d05623ee0b34e3b71bbd1ed69e04180848c5

SHA256
4a90c56d35a677dd9bf91a9a89ae8396936cb47b5fdf6094b582d2208c76cd96

SHA512
8aa5c5d7d522c14287d10db92ee7378f22ca96e18ae453b5cd7b72ac95207736b7ad721e08454de1cc5dec0387f455dac83cbd09144db711fdfe5591034a0f19

Download Submit
\Users\Admin\AppData\Roaming\Trojan.exe

Filesize
587KB

MD5
58388ff123bd5e52aa3e7fa34cfa8a7f

SHA1
6b43aa7430ad9e446acf2f8d04ecb8f6b6eaa4c5

SHA256
3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c

SHA512
a4b5405d5e0c4f555e151c207c2d6d38e52b3dc3c59f3629729cec2578dc0426621b8f321ce770e69270e974e1d96f6eacc6d38d2f9b89c6aed4ed4ce397a991

Download Submit
memory/2040-0-0x0000000074251000-0x0000000074252000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-2-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-3-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-5-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-18-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-19-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-20-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2368-45-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download