njrat | 49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf

General

Target

49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe
Size

1009KB
MD5

749ebef6c4ae90cf84e427ca29f2cc2d
SHA1

b51a6856f1539d5e1d38aba0212222ebc69e7922
SHA256

49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf
SHA512

62020030df7136c10495c79866d255e91033481c7be41173414e01f9bdcff4e139954c00a62db959ec123950afa8d8b18c324751500ed87f0236462985130115

Score

10^/10

njrat limebot3 trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Limebot3

C2

microsoftdnsbug.duckdns.org:6699

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
luffy

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

AppVCatalog.exeAppVCatalog.exe

pid process

1956 AppVCatalog.exe
1604 AppVCatalog.exe

pid	process
1956	AppVCatalog.exe
1604	AppVCatalog.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 1924 set thread context of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1956 set thread context of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1604 set thread context of 1448	1604	AppVCatalog.exe	RegAsm.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1700 schtasks.exe
1212 schtasks.exe
1792 schtasks.exe

pid	process
1700	schtasks.exe
1212	schtasks.exe
1792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exeAppVCatalog.exeAppVCatalog.exe

pid	process
1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe
1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe
1956	AppVCatalog.exe
1956	AppVCatalog.exe
1604	AppVCatalog.exe
1604	AppVCatalog.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe
Token: 33	836	RegAsm.exe
Token: SeIncBasePriorityPrivilege	836	RegAsm.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exetaskeng.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 836	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	RegAsm.exe
PID 1924 wrote to memory of 1700	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	schtasks.exe
PID 1924 wrote to memory of 1700	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	schtasks.exe
PID 1924 wrote to memory of 1700	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	schtasks.exe
PID 1924 wrote to memory of 1700	1924	49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe	schtasks.exe
PID 1640 wrote to memory of 1956	1640	taskeng.exe	AppVCatalog.exe
PID 1640 wrote to memory of 1956	1640	taskeng.exe	AppVCatalog.exe
PID 1640 wrote to memory of 1956	1640	taskeng.exe	AppVCatalog.exe
PID 1640 wrote to memory of 1956	1640	taskeng.exe	AppVCatalog.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 544	1956	AppVCatalog.exe	RegAsm.exe
PID 1956 wrote to memory of 1212	1956	AppVCatalog.exe	schtasks.exe
PID 1956 wrote to memory of 1212	1956	AppVCatalog.exe	schtasks.exe
PID 1956 wrote to memory of 1212	1956	AppVCatalog.exe	schtasks.exe
PID 1956 wrote to memory of 1212	1956	AppVCatalog.exe	schtasks.exe
PID 1640 wrote to memory of 1604	1640	taskeng.exe	AppVCatalog.exe
PID 1640 wrote to memory of 1604	1640	taskeng.exe	AppVCatalog.exe
PID 1640 wrote to memory of 1604	1640	taskeng.exe	AppVCatalog.exe
PID 1640 wrote to memory of 1604	1640	taskeng.exe	AppVCatalog.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1448	1604	AppVCatalog.exe	RegAsm.exe
PID 1604 wrote to memory of 1792	1604	AppVCatalog.exe	schtasks.exe
PID 1604 wrote to memory of 1792	1604	AppVCatalog.exe	schtasks.exe
PID 1604 wrote to memory of 1792	1604	AppVCatalog.exe	schtasks.exe
PID 1604 wrote to memory of 1792	1604	AppVCatalog.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe
"C:\Users\Admin\AppData\Local\Temp\49c58fe5c75847250c7e5667e743777d34655ed41297acf072f8f7eb9db314cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\taskeng.exe
taskeng.exe {D3734AE6-3C02-46E4-BE06-4CBFE313EC44} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:1212

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:1448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
3e23455a9e24843109f1bb1a31b6d9bc

SHA1
7c8e9478d79a369b6d44632b3bee22f6a54ec8ed

SHA256
2603dacd9d75d537112a42bf67955d8b47c80002a83f108dba1f4d76b1dd31d6

SHA512
c6a5e23c3ae0e166b4d6676fa171ae4d93b612999505ed21ee9c2390c4d8b4333bcbfb9e2cb86f71ff79b33cf4f7e4811541737d47f83a765ec549699bdfaf75

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
3e23455a9e24843109f1bb1a31b6d9bc

SHA1
7c8e9478d79a369b6d44632b3bee22f6a54ec8ed

SHA256
2603dacd9d75d537112a42bf67955d8b47c80002a83f108dba1f4d76b1dd31d6

SHA512
c6a5e23c3ae0e166b4d6676fa171ae4d93b612999505ed21ee9c2390c4d8b4333bcbfb9e2cb86f71ff79b33cf4f7e4811541737d47f83a765ec549699bdfaf75

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
3e23455a9e24843109f1bb1a31b6d9bc

SHA1
7c8e9478d79a369b6d44632b3bee22f6a54ec8ed

SHA256
2603dacd9d75d537112a42bf67955d8b47c80002a83f108dba1f4d76b1dd31d6

SHA512
c6a5e23c3ae0e166b4d6676fa171ae4d93b612999505ed21ee9c2390c4d8b4333bcbfb9e2cb86f71ff79b33cf4f7e4811541737d47f83a765ec549699bdfaf75

Download Submit
memory/544-86-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/544-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/544-84-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/544-83-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/544-82-0x0000000000414E6E-mapping.dmp

Download
memory/836-67-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/836-61-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/836-66-0x00000000000A4E6E-mapping.dmp

Download
memory/836-68-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/836-71-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1212-87-0x0000000000000000-mapping.dmp

Download
memory/1448-100-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1448-96-0x0000000000414E6E-mapping.dmp

Download
memory/1604-88-0x0000000000000000-mapping.dmp

Download
memory/1700-72-0x0000000000000000-mapping.dmp

Download
memory/1792-101-0x0000000000000000-mapping.dmp

Download
memory/1924-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1924-70-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1956-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads