njrat | 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8

General

Target

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
Size

1009KB
MD5

dd50c188aabc9e550fc221de015ddb55
SHA1

068aa881159f72c4454f44f32fb754fc5b88f688
SHA256

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8
SHA512

b63b109c27987c3b873c378707eb983c60b782e7e9a2ec0dafac7130ef17da0c034698aaa025cd6103cc5ba6e6fb4e13240a20c773fb2e7a981eef276e406b36

Score

10^/10

njrat limebot3 trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Limebot3

C2

microsoftdnsbug.duckdns.org:6699

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
luffy

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

AppVCatalog.exeAppVCatalog.exe

pid process

4020 AppVCatalog.exe
4608 AppVCatalog.exe

pid	process
4020	AppVCatalog.exe
4608	AppVCatalog.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 376 set thread context of 3932	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 4020 set thread context of 4408	4020	AppVCatalog.exe	RegAsm.exe
PID 4608 set thread context of 3324	4608	AppVCatalog.exe	RegAsm.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3572 3932 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3804 schtasks.exe
4476 schtasks.exe
3368 schtasks.exe

pid	pid_target	process	target process
3572	3932	WerFault.exe	RegAsm.exe

pid	process
3804	schtasks.exe
4476	schtasks.exe
3368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

pid	process
376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
4020	AppVCatalog.exe
4020	AppVCatalog.exe
4020	AppVCatalog.exe
4020	AppVCatalog.exe
4608	AppVCatalog.exe
4608	AppVCatalog.exe
4608	AppVCatalog.exe
4608	AppVCatalog.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe
Token: 33	4408	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4408	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 376 wrote to memory of 3932	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 376 wrote to memory of 3932	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 376 wrote to memory of 3932	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 376 wrote to memory of 3932	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 376 wrote to memory of 3932	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 376 wrote to memory of 3804	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 376 wrote to memory of 3804	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 376 wrote to memory of 3804	376	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 4020 wrote to memory of 4408	4020	AppVCatalog.exe	RegAsm.exe
PID 4020 wrote to memory of 4408	4020	AppVCatalog.exe	RegAsm.exe
PID 4020 wrote to memory of 4408	4020	AppVCatalog.exe	RegAsm.exe
PID 4020 wrote to memory of 4408	4020	AppVCatalog.exe	RegAsm.exe
PID 4020 wrote to memory of 4408	4020	AppVCatalog.exe	RegAsm.exe
PID 4020 wrote to memory of 4476	4020	AppVCatalog.exe	schtasks.exe
PID 4020 wrote to memory of 4476	4020	AppVCatalog.exe	schtasks.exe
PID 4020 wrote to memory of 4476	4020	AppVCatalog.exe	schtasks.exe
PID 4608 wrote to memory of 3324	4608	AppVCatalog.exe	RegAsm.exe
PID 4608 wrote to memory of 3324	4608	AppVCatalog.exe	RegAsm.exe
PID 4608 wrote to memory of 3324	4608	AppVCatalog.exe	RegAsm.exe
PID 4608 wrote to memory of 3324	4608	AppVCatalog.exe	RegAsm.exe
PID 4608 wrote to memory of 3324	4608	AppVCatalog.exe	RegAsm.exe
PID 4608 wrote to memory of 3368	4608	AppVCatalog.exe	schtasks.exe
PID 4608 wrote to memory of 3368	4608	AppVCatalog.exe	schtasks.exe
PID 4608 wrote to memory of 3368	4608	AppVCatalog.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
"C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 24
3⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3804

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4476

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
22ea2be776f6fb0a8d120c4c8aed4372

SHA1
8afebe29576fa97332c28f80533baff07ef04d21

SHA256
e154fc855ec92bd148783f65d059b8a0b374f173eaaccceabddc9bc8a8cb694b

SHA512
407cec2de44139a6248731d58bcc42f89bb726731222ffcd1d07f57889dda791fc444bd41edac575c011f20c5db0197b7b694565ee7baae8f7f13b9e08938611

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
22ea2be776f6fb0a8d120c4c8aed4372

SHA1
8afebe29576fa97332c28f80533baff07ef04d21

SHA256
e154fc855ec92bd148783f65d059b8a0b374f173eaaccceabddc9bc8a8cb694b

SHA512
407cec2de44139a6248731d58bcc42f89bb726731222ffcd1d07f57889dda791fc444bd41edac575c011f20c5db0197b7b694565ee7baae8f7f13b9e08938611

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
22ea2be776f6fb0a8d120c4c8aed4372

SHA1
8afebe29576fa97332c28f80533baff07ef04d21

SHA256
e154fc855ec92bd148783f65d059b8a0b374f173eaaccceabddc9bc8a8cb694b

SHA512
407cec2de44139a6248731d58bcc42f89bb726731222ffcd1d07f57889dda791fc444bd41edac575c011f20c5db0197b7b694565ee7baae8f7f13b9e08938611

Download Submit
memory/376-121-0x0000000002330000-0x00000000023ED000-memory.dmp

Filesize
756KB

Download
memory/3324-140-0x0000000000414E6E-mapping.dmp

Download
memory/3324-142-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/3368-143-0x0000000000000000-mapping.dmp

Download
memory/3804-122-0x0000000000000000-mapping.dmp

Download
memory/3932-120-0x00000000005E4E6E-mapping.dmp

Download
memory/3932-115-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/4020-131-0x0000000001200000-0x000000000134A000-memory.dmp

Filesize
1.3MB

Download
memory/4408-125-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4408-130-0x0000000000414E6E-mapping.dmp

Download
memory/4408-132-0x0000000000FF0000-0x000000000113A000-memory.dmp

Filesize
1.3MB

Download
memory/4476-133-0x0000000000000000-mapping.dmp

Download
memory/4608-141-0x0000000001400000-0x00000000014AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads