njrat | 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8

General

Target

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
Size

1009KB
MD5

dd50c188aabc9e550fc221de015ddb55
SHA1

068aa881159f72c4454f44f32fb754fc5b88f688
SHA256

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8
SHA512

b63b109c27987c3b873c378707eb983c60b782e7e9a2ec0dafac7130ef17da0c034698aaa025cd6103cc5ba6e6fb4e13240a20c773fb2e7a981eef276e406b36

Score

10^/10

njrat limebot3 trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Limebot3

C2

microsoftdnsbug.duckdns.org:6699

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
luffy

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

AppVCatalog.exeAppVCatalog.exe

pid process

528 AppVCatalog.exe
852 AppVCatalog.exe

pid	process
528	AppVCatalog.exe
852	AppVCatalog.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 1368 set thread context of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 528 set thread context of 572	528	AppVCatalog.exe	RegAsm.exe
PID 852 set thread context of 1824	852	AppVCatalog.exe	RegAsm.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1684 schtasks.exe
396 schtasks.exe
2032 schtasks.exe

pid	process
1684	schtasks.exe
396	schtasks.exe
2032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

pid	process
1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
528	AppVCatalog.exe
528	AppVCatalog.exe
852	AppVCatalog.exe
852	AppVCatalog.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe
Token: 33	2036	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2036	RegAsm.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exetaskeng.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 2036	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1368 wrote to memory of 1684	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 1368 wrote to memory of 1684	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 1368 wrote to memory of 1684	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 1368 wrote to memory of 1684	1368	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 1064 wrote to memory of 528	1064	taskeng.exe	AppVCatalog.exe
PID 1064 wrote to memory of 528	1064	taskeng.exe	AppVCatalog.exe
PID 1064 wrote to memory of 528	1064	taskeng.exe	AppVCatalog.exe
PID 1064 wrote to memory of 528	1064	taskeng.exe	AppVCatalog.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 572	528	AppVCatalog.exe	RegAsm.exe
PID 528 wrote to memory of 396	528	AppVCatalog.exe	schtasks.exe
PID 528 wrote to memory of 396	528	AppVCatalog.exe	schtasks.exe
PID 528 wrote to memory of 396	528	AppVCatalog.exe	schtasks.exe
PID 528 wrote to memory of 396	528	AppVCatalog.exe	schtasks.exe
PID 1064 wrote to memory of 852	1064	taskeng.exe	AppVCatalog.exe
PID 1064 wrote to memory of 852	1064	taskeng.exe	AppVCatalog.exe
PID 1064 wrote to memory of 852	1064	taskeng.exe	AppVCatalog.exe
PID 1064 wrote to memory of 852	1064	taskeng.exe	AppVCatalog.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 1824	852	AppVCatalog.exe	RegAsm.exe
PID 852 wrote to memory of 2032	852	AppVCatalog.exe	schtasks.exe
PID 852 wrote to memory of 2032	852	AppVCatalog.exe	schtasks.exe
PID 852 wrote to memory of 2032	852	AppVCatalog.exe	schtasks.exe
PID 852 wrote to memory of 2032	852	AppVCatalog.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
"C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {95E437CC-E742-4704-811D-F3F8ACB54BE0} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:572

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:396

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
b0443072d1ca7687b9f4f7fd6a4a3273

SHA1
aeb6ad0f988d99f179306221e1ad63731174093c

SHA256
57213c76228880bfc787b916f87d4a6d78ee74b0a84768c23622499d5291b199

SHA512
0dd454093daf48c8864409ed595ec1c191ea72cda417537a7bfcc8a0acfd0d3f03be2b2790276527f50bd7e7b6b90a49874bce358e62d9da601e1e702784c973

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
b0443072d1ca7687b9f4f7fd6a4a3273

SHA1
aeb6ad0f988d99f179306221e1ad63731174093c

SHA256
57213c76228880bfc787b916f87d4a6d78ee74b0a84768c23622499d5291b199

SHA512
0dd454093daf48c8864409ed595ec1c191ea72cda417537a7bfcc8a0acfd0d3f03be2b2790276527f50bd7e7b6b90a49874bce358e62d9da601e1e702784c973

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
b0443072d1ca7687b9f4f7fd6a4a3273

SHA1
aeb6ad0f988d99f179306221e1ad63731174093c

SHA256
57213c76228880bfc787b916f87d4a6d78ee74b0a84768c23622499d5291b199

SHA512
0dd454093daf48c8864409ed595ec1c191ea72cda417537a7bfcc8a0acfd0d3f03be2b2790276527f50bd7e7b6b90a49874bce358e62d9da601e1e702784c973

Download Submit
memory/396-81-0x0000000000000000-mapping.dmp

Download
memory/528-68-0x0000000000000000-mapping.dmp

Download
memory/572-80-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/572-76-0x0000000000414E6E-mapping.dmp

Download
memory/852-82-0x0000000000000000-mapping.dmp

Download
memory/1368-64-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1368-54-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1684-66-0x0000000000000000-mapping.dmp

Download
memory/1824-94-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1824-90-0x0000000000414E6E-mapping.dmp

Download
memory/2032-95-0x0000000000000000-mapping.dmp

Download
memory/2036-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-60-0x0000000000414E6E-mapping.dmp

Download
memory/2036-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2036-65-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads