njrat | 69cef8fa1209f02ef528ee93959c7c5e20a10e603b8a4251ba673d4cfd9e4b5e

General

Target

SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
Size

52KB
MD5

69ad69047088324a6a754b904abb0c55
SHA1

e91627fd943b1de0c7cd92a9e3b9217765f20baf
SHA256

69cef8fa1209f02ef528ee93959c7c5e20a10e603b8a4251ba673d4cfd9e4b5e
SHA512

c6b81bd1645976744e7251c673bafce4f0154bca915334c3e2c62673194505e55ffc3477f32926c60251e49f04a2b569c078d5111a445db289de4a73585236ef

Score

10^/10

evasion trojan njrat

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exeserver.exe

description	pid	process	target process
PID 2008 wrote to memory of 3916	2008	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe	server.exe
PID 2008 wrote to memory of 3916	2008	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe	server.exe
PID 2008 wrote to memory of 3916	2008	SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe	server.exe
PID 3916 wrote to memory of 2568	3916	server.exe	netsh.exe
PID 3916 wrote to memory of 2568	3916	server.exe	netsh.exe
PID 3916 wrote to memory of 2568	3916	server.exe	netsh.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3916 server.exe

pid	process
3916	server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe
Token: 33	3916	server.exe
Token: SeIncBasePriorityPrivilege	3916	server.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.93722.24785.25936.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\server.exe

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Download Submit
memory/2568-3-0x0000000000000000-mapping.dmp

Download
memory/3916-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing