njrat | 41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681

General

Target

41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe
Size

1009KB
MD5

2bdfc0cc5cad829995fb730b83c099c8
SHA1

3f7a49c990bc5b6fa7df644dd3dd1d7046e35ab5
SHA256

41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681
SHA512

1563050e048541135b57fef6b14cb14f7a4d95dc63539a1e0677116fef256f1c3fced0aa7fb82567efcc12741c00d4fc37b1b9458e90cbaa3da13ac2f7a3db0d

Score

10^/10

njrat limebot3 trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Limebot3

C2

microsoftdnsbug.duckdns.org:6699

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
luffy

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

AppVCatalog.exeAppVCatalog.exe

pid process

3984 AppVCatalog.exe
2440 AppVCatalog.exe

pid	process
3984	AppVCatalog.exe
2440	AppVCatalog.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 3536 set thread context of 2180	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	RegAsm.exe
PID 3984 set thread context of 1160	3984	AppVCatalog.exe	RegAsm.exe
PID 2440 set thread context of 2780	2440	AppVCatalog.exe	RegAsm.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4072 schtasks.exe
1220 schtasks.exe
2996 schtasks.exe

pid	process
4072	schtasks.exe
1220	schtasks.exe
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exeAppVCatalog.exeAppVCatalog.exe

pid	process
3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe
3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe
3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe
3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe
3984	AppVCatalog.exe
3984	AppVCatalog.exe
3984	AppVCatalog.exe
3984	AppVCatalog.exe
2440	AppVCatalog.exe
2440	AppVCatalog.exe
2440	AppVCatalog.exe
2440	AppVCatalog.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe
Token: 33	2180	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2180	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 3536 wrote to memory of 2180	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	RegAsm.exe
PID 3536 wrote to memory of 2180	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	RegAsm.exe
PID 3536 wrote to memory of 2180	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	RegAsm.exe
PID 3536 wrote to memory of 2180	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	RegAsm.exe
PID 3536 wrote to memory of 2180	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	RegAsm.exe
PID 3536 wrote to memory of 4072	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	schtasks.exe
PID 3536 wrote to memory of 4072	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	schtasks.exe
PID 3536 wrote to memory of 4072	3536	41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe	schtasks.exe
PID 3984 wrote to memory of 1160	3984	AppVCatalog.exe	RegAsm.exe
PID 3984 wrote to memory of 1160	3984	AppVCatalog.exe	RegAsm.exe
PID 3984 wrote to memory of 1160	3984	AppVCatalog.exe	RegAsm.exe
PID 3984 wrote to memory of 1160	3984	AppVCatalog.exe	RegAsm.exe
PID 3984 wrote to memory of 1160	3984	AppVCatalog.exe	RegAsm.exe
PID 3984 wrote to memory of 1220	3984	AppVCatalog.exe	schtasks.exe
PID 3984 wrote to memory of 1220	3984	AppVCatalog.exe	schtasks.exe
PID 3984 wrote to memory of 1220	3984	AppVCatalog.exe	schtasks.exe
PID 2440 wrote to memory of 2780	2440	AppVCatalog.exe	RegAsm.exe
PID 2440 wrote to memory of 2780	2440	AppVCatalog.exe	RegAsm.exe
PID 2440 wrote to memory of 2780	2440	AppVCatalog.exe	RegAsm.exe
PID 2440 wrote to memory of 2780	2440	AppVCatalog.exe	RegAsm.exe
PID 2440 wrote to memory of 2780	2440	AppVCatalog.exe	RegAsm.exe
PID 2440 wrote to memory of 2996	2440	AppVCatalog.exe	schtasks.exe
PID 2440 wrote to memory of 2996	2440	AppVCatalog.exe	schtasks.exe
PID 2440 wrote to memory of 2996	2440	AppVCatalog.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe
"C:\Users\Admin\AppData\Local\Temp\41e16d26226c15800b3dda0529c07e7d17db42cb7d30023849a595df60e44681.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4072

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1220

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2780

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
MD5
6b062b48db9a8e149e10fefd80ab54ef

SHA1
1e72855f88c33b6ddce512b079bbe2e4aa2b6b57

SHA256
026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43

SHA512
b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
1accc7e7e35bf2c010dfe38cc82b955e

SHA1
cc0c375447189a37cd775794f4711ceeec5fbad6

SHA256
25732a582c9a7e920a5b9a5b171af4ad1fb548029c136e7e9f19e18e3fcb621e

SHA512
860376d1edabc408b44a35414e53abbbf2fe0bfa860bcc7c02579ea888d05fe89c8a99aca493fab2ab4380c095108f98d55fd81abdddcade1e03e164e7e35670

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
1accc7e7e35bf2c010dfe38cc82b955e

SHA1
cc0c375447189a37cd775794f4711ceeec5fbad6

SHA256
25732a582c9a7e920a5b9a5b171af4ad1fb548029c136e7e9f19e18e3fcb621e

SHA512
860376d1edabc408b44a35414e53abbbf2fe0bfa860bcc7c02579ea888d05fe89c8a99aca493fab2ab4380c095108f98d55fd81abdddcade1e03e164e7e35670

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
1accc7e7e35bf2c010dfe38cc82b955e

SHA1
cc0c375447189a37cd775794f4711ceeec5fbad6

SHA256
25732a582c9a7e920a5b9a5b171af4ad1fb548029c136e7e9f19e18e3fcb621e

SHA512
860376d1edabc408b44a35414e53abbbf2fe0bfa860bcc7c02579ea888d05fe89c8a99aca493fab2ab4380c095108f98d55fd81abdddcade1e03e164e7e35670

Download Submit
memory/1160-132-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1160-131-0x0000000000414E6E-mapping.dmp

Download
memory/1220-133-0x0000000000000000-mapping.dmp

Download
memory/2180-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2180-122-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/2180-120-0x0000000000414E6E-mapping.dmp

Download
memory/2440-142-0x0000000000B30000-0x0000000000C7A000-memory.dmp

Filesize
1.3MB

Download
memory/2780-140-0x0000000000414E6E-mapping.dmp

Download
memory/2780-143-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2996-144-0x0000000000000000-mapping.dmp

Download
memory/3536-121-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/4072-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads