njrat | d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rbx hack 2.6.exe
Size

170KB
MD5

85674d840f5718ae8b969d34f00959a6
SHA1

81ac606530c9f8f0b5b1aedebdfe5fbd9f0720a6
SHA256

d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d
SHA512

9b97f5a99e2bea32b1ec68173a7b7e661c609a5c03abd391d3f974b54518c3fd4666e2570603037d6e383354fe63cbbf7b5c684a1edd69249fdfa51a7dd7296f
SSDEEP

3072:IE+aisCzuOA2ewhLapuvpAsZOyMqmyBeYVYk:WRV/GWGwqqm1

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	rbx hack 2.6.exe

Executes dropped EXE 1 IoCs

pid	Process
5836	rbx hack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rbx hack.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe
Token: 33	5836	rbx hack.exe
Token: SeIncBasePriorityPrivilege	5836	rbx hack.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 5836	3000	rbx hack 2.6.exe	91
PID 3000 wrote to memory of 5836	3000	rbx hack 2.6.exe	91
PID 3000 wrote to memory of 5836	3000	rbx hack 2.6.exe	91

C:\Users\Admin\AppData\Local\Temp\rbx hack 2.6.exe
"C:\Users\Admin\AppData\Local\Temp\rbx hack 2.6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\rbx hack.exe
  "C:\Users\Admin\AppData\Local\Temp\rbx hack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rbx hack.exe

Filesize
54KB

MD5
e3250ba3e962ddf90560e00c92659cf9

SHA1
f6904cfed503a1009923141b3028875bab2aa08c

SHA256
92123431a5d7c000dfa423656179055bc8b3e4c96ed94b90cd334b2feb8818b6

SHA512
8e78bf75eec8fc294fc11e5fc6eb69230b7e6d9a8676944cf9b1fe581b6f1fc5d931fd3efedd6ffe63b396ee69de34e18c07501fb7f3b2c8df3a5993c9eafd5d

Download Submit
memory/3000-0-0x00007FF91F2A3000-0x00007FF91F2A5000-memory.dmp

Filesize
8KB

Download
memory/3000-1-0x0000000000360000-0x0000000000390000-memory.dmp

Filesize
192KB

Download
memory/3000-8-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp

Filesize
10.8MB

Download
memory/3000-12-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp

Filesize
10.8MB

Download
memory/5836-13-0x0000000074792000-0x0000000074793000-memory.dmp

Filesize
4KB

Download
memory/5836-14-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/5836-15-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/5836-16-0x0000000074792000-0x0000000074793000-memory.dmp

Filesize
4KB

Download
memory/5836-17-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download
memory/5836-18-0x0000000074790000-0x0000000074D41000-memory.dmp

Filesize
5.7MB

Download