njrat | d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
24/03/2025, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d.exe
Size

170KB
MD5

85674d840f5718ae8b969d34f00959a6
SHA1

81ac606530c9f8f0b5b1aedebdfe5fbd9f0720a6
SHA256

d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d
SHA512

9b97f5a99e2bea32b1ec68173a7b7e661c609a5c03abd391d3f974b54518c3fd4666e2570603037d6e383354fe63cbbf7b5c684a1edd69249fdfa51a7dd7296f
SSDEEP

3072:IE+aisCzuOA2ewhLapuvpAsZOyMqmyBeYVYk:WRV/GWGwqqm1

Score

10^/10

njrat victim discovery trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

size-ingredients.gl.at.ply.gg:5407

Mutex

a1cb840a8f8b330a9629751db128f43f

Attributes

reg_key
a1cb840a8f8b330a9629751db128f43f
splitter
Y262SUCZ4UJJ

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1724	rbx hack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rbx hack.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe
Token: 33	1724	rbx hack.exe
Token: SeIncBasePriorityPrivilege	1724	rbx hack.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1724	2872	d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d.exe	31
PID 2872 wrote to memory of 1724	2872	d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d.exe	31
PID 2872 wrote to memory of 1724	2872	d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d.exe	31
PID 2872 wrote to memory of 1724	2872	d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d.exe	31

C:\Users\Admin\AppData\Local\Temp\d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d.exe
"C:\Users\Admin\AppData\Local\Temp\d80aba0386c59bbd60fc1428e86a5295e7bbbce93119fd96a1bc5c06356b7c2d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\rbx hack.exe
  "C:\Users\Admin\AppData\Local\Temp\rbx hack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rbx hack.exe

Filesize
54KB

MD5
e3250ba3e962ddf90560e00c92659cf9

SHA1
f6904cfed503a1009923141b3028875bab2aa08c

SHA256
92123431a5d7c000dfa423656179055bc8b3e4c96ed94b90cd334b2feb8818b6

SHA512
8e78bf75eec8fc294fc11e5fc6eb69230b7e6d9a8676944cf9b1fe581b6f1fc5d931fd3efedd6ffe63b396ee69de34e18c07501fb7f3b2c8df3a5993c9eafd5d

Download Submit
memory/1724-9-0x0000000074E82000-0x0000000074E84000-memory.dmp

Filesize
8KB

Download
memory/1724-10-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-11-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2872-8-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download