njrat | b20ffc1d22dbcae7052b7414d7ed19303ec13f419d41dd976806de7f86bc9b31

General

Target

SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
Size

36KB
MD5

f1f8814239371bbaa60f2d2bced185e4
SHA1

117dea564d6f7ed5c6741b8fd5a87bcac5765722
SHA256

b20ffc1d22dbcae7052b7414d7ed19303ec13f419d41dd976806de7f86bc9b31
SHA512

4b3a0f5029544a3b94d735a2c609fce17fad47e9d9bfb210b68eb0da1e572e6831492317415b2bcf23c542fa024e50a1fe44d5586d8c9a855003090e1d87a87c

Score

10^/10

evasion trojan njrat

Malware Config

Signatures

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exeserver.exe

description	pid	process	target process
PID 720 wrote to memory of 3872	720	SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe	server.exe
PID 720 wrote to memory of 3872	720	SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe	server.exe
PID 720 wrote to memory of 3872	720	SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe	server.exe
PID 3872 wrote to memory of 3780	3872	server.exe	netsh.exe
PID 3872 wrote to memory of 3780	3872	server.exe	netsh.exe
PID 3872 wrote to memory of 3780	3872	server.exe	netsh.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3872 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3872	server.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	720	SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
Token: SeDebugPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe
Token: 33	3872	server.exe
Token: SeIncBasePriorityPrivilege	3872	server.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\server.exe

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Download Submit
memory/3780-3-0x0000000000000000-mapping.dmp

Download
memory/3872-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing