njrat | 69cef8fa1209f02ef528ee93959c7c5e20a10e603b8a4251ba673d4cfd9e4b5e

General

Target

SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
Size

52KB
MD5

69ad69047088324a6a754b904abb0c55
SHA1

e91627fd943b1de0c7cd92a9e3b9217765f20baf
SHA256

69cef8fa1209f02ef528ee93959c7c5e20a10e603b8a4251ba673d4cfd9e4b5e
SHA512

c6b81bd1645976744e7251c673bafce4f0154bca915334c3e2c62673194505e55ffc3477f32926c60251e49f04a2b569c078d5111a445db289de4a73585236ef

Score

10^/10

trojan njrat evasion persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe
Token: 33	1048	server.exe
Token: SeIncBasePriorityPrivilege	1048	server.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe

Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe

pid process

336 SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe

pid	process
336	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exeserver.exe

description	pid	process	target process
PID 336 wrote to memory of 1048	336	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe	server.exe
PID 336 wrote to memory of 1048	336	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe	server.exe
PID 336 wrote to memory of 1048	336	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe	server.exe
PID 336 wrote to memory of 1048	336	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe	server.exe
PID 1048 wrote to memory of 1684	1048	server.exe	netsh.exe
PID 1048 wrote to memory of 1684	1048	server.exe	netsh.exe
PID 1048 wrote to memory of 1684	1048	server.exe	netsh.exe
PID 1048 wrote to memory of 1684	1048	server.exe	netsh.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1048 server.exe

pid	process
1048	server.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1048

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies service
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\server.exe

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Download Submit
\Users\Admin\AppData\Roaming\server.exe

Download Submit
memory/1048-1-0x0000000000000000-mapping.dmp

Download
memory/1684-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads