njrat | c3eecda765f66631358e23cbb02741b4e2fb2e56c76520d5a83b249ee8f929d8

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload.exe
Size

55KB
MD5

2fb0487c62fddc8148bb9c1e7a61ff0b
SHA1

166f462038f8db0cc6462c8f6de5f3098968b7da
SHA256

c3eecda765f66631358e23cbb02741b4e2fb2e56c76520d5a83b249ee8f929d8
SHA512

0fb567a204b6ed8c0104ac893168800fd4f40c3c6bebba1d446c53f5107a6b6bfea5d1d47c77f32efae765c675c976dbd64f541c671f7348100efc4659f42cc9
SSDEEP

1536:kdmIDn/NOryWhI0DGwsNMDmXExI3pmSm:BIDnE+v0DGwsNMDmXExI3pm

Score

10^/10

njrat victim discovery trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

anyone-center.gl.at.ply.gg:7940

Mutex

27421004d62e68560786f4e6e6db51e2

Attributes

reg_key
27421004d62e68560786f4e6e6db51e2
splitter
Y262SUCZ4UJJ

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2760	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2796	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe
Token: 33	2760	dllhost.exe
Token: SeIncBasePriorityPrivilege	2760	dllhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2760	2796	Payload.exe	31
PID 2796 wrote to memory of 2760	2796	Payload.exe	31
PID 2796 wrote to memory of 2760	2796	Payload.exe	31
PID 2796 wrote to memory of 2760	2796	Payload.exe	31

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\dllhost.exe
  "C:\Users\Admin\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\dllhost.exe

Filesize
55KB

MD5
2fb0487c62fddc8148bb9c1e7a61ff0b

SHA1
166f462038f8db0cc6462c8f6de5f3098968b7da

SHA256
c3eecda765f66631358e23cbb02741b4e2fb2e56c76520d5a83b249ee8f929d8

SHA512
0fb567a204b6ed8c0104ac893168800fd4f40c3c6bebba1d446c53f5107a6b6bfea5d1d47c77f32efae765c675c976dbd64f541c671f7348100efc4659f42cc9

Download Submit
memory/2760-12-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-10-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-13-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-14-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-15-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-0-0x0000000074491000-0x0000000074492000-memory.dmp

Filesize
4KB

Download
memory/2796-1-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-2-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-11-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download