njrat | 424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8

General

Target

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
Size

1009KB
MD5

dd50c188aabc9e550fc221de015ddb55
SHA1

068aa881159f72c4454f44f32fb754fc5b88f688
SHA256

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8
SHA512

b63b109c27987c3b873c378707eb983c60b782e7e9a2ec0dafac7130ef17da0c034698aaa025cd6103cc5ba6e6fb4e13240a20c773fb2e7a981eef276e406b36

Score

10^/10

njrat limebot3 trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Limebot3

C2

microsoftdnsbug.duckdns.org:6699

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
luffy

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

AppVCatalog.exeAppVCatalog.exe

pid process

1764 AppVCatalog.exe
3772 AppVCatalog.exe

pid	process
1764	AppVCatalog.exe
3772	AppVCatalog.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 3936 set thread context of 1380	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 1764 set thread context of 4080	1764	AppVCatalog.exe	RegAsm.exe
PID 3772 set thread context of 3672	3772	AppVCatalog.exe	RegAsm.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2780 schtasks.exe
592 schtasks.exe

pid	process
2780	schtasks.exe
592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

pid	process
3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
1764	AppVCatalog.exe
1764	AppVCatalog.exe
1764	AppVCatalog.exe
1764	AppVCatalog.exe
3772	AppVCatalog.exe
3772	AppVCatalog.exe
3772	AppVCatalog.exe
3772	AppVCatalog.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe
Token: 33	1380	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1380	RegAsm.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exeAppVCatalog.exeAppVCatalog.exe

description	pid	process	target process
PID 3936 wrote to memory of 1380	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 3936 wrote to memory of 1380	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 3936 wrote to memory of 1380	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 3936 wrote to memory of 1380	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 3936 wrote to memory of 1380	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	RegAsm.exe
PID 3936 wrote to memory of 2780	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 3936 wrote to memory of 2780	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 3936 wrote to memory of 2780	3936	424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe	schtasks.exe
PID 1764 wrote to memory of 4080	1764	AppVCatalog.exe	RegAsm.exe
PID 1764 wrote to memory of 4080	1764	AppVCatalog.exe	RegAsm.exe
PID 1764 wrote to memory of 4080	1764	AppVCatalog.exe	RegAsm.exe
PID 1764 wrote to memory of 4080	1764	AppVCatalog.exe	RegAsm.exe
PID 1764 wrote to memory of 4080	1764	AppVCatalog.exe	RegAsm.exe
PID 1764 wrote to memory of 592	1764	AppVCatalog.exe	schtasks.exe
PID 1764 wrote to memory of 592	1764	AppVCatalog.exe	schtasks.exe
PID 1764 wrote to memory of 592	1764	AppVCatalog.exe	schtasks.exe
PID 3772 wrote to memory of 3672	3772	AppVCatalog.exe	RegAsm.exe
PID 3772 wrote to memory of 3672	3772	AppVCatalog.exe	RegAsm.exe
PID 3772 wrote to memory of 3672	3772	AppVCatalog.exe	RegAsm.exe
PID 3772 wrote to memory of 3672	3772	AppVCatalog.exe	RegAsm.exe
PID 3772 wrote to memory of 3672	3772	AppVCatalog.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe
"C:\Users\Admin\AppData\Local\Temp\424b1800061eb3534756eada61219882687a8f99d206d300ba7e4696066aaac8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2780

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:4080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn PnPUnattend /tr "C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:592

C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
MD5
6b062b48db9a8e149e10fefd80ab54ef

SHA1
1e72855f88c33b6ddce512b079bbe2e4aa2b6b57

SHA256
026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43

SHA512
b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
e7014d98621cee3c1b2a90cf7af3ee98

SHA1
5646e8a80cfdc580001032a650aeea20511606e6

SHA256
dbf825b66bd0f94b83770a8825adc0c27c88f234acee5efa8b5cd84ed1e8d2e2

SHA512
0d0d79f1733a2a6b416715c27044d04893f6206540286457f6678bda3f71015304fbf6c5c1407bbdb550657f61da4b83913eb93dbfff2518984c6ef602bd936b

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
e7014d98621cee3c1b2a90cf7af3ee98

SHA1
5646e8a80cfdc580001032a650aeea20511606e6

SHA256
dbf825b66bd0f94b83770a8825adc0c27c88f234acee5efa8b5cd84ed1e8d2e2

SHA512
0d0d79f1733a2a6b416715c27044d04893f6206540286457f6678bda3f71015304fbf6c5c1407bbdb550657f61da4b83913eb93dbfff2518984c6ef602bd936b

Download Submit
C:\Users\Admin\CapabilityAccessHandlers\AppVCatalog.exe
MD5
e7014d98621cee3c1b2a90cf7af3ee98

SHA1
5646e8a80cfdc580001032a650aeea20511606e6

SHA256
dbf825b66bd0f94b83770a8825adc0c27c88f234acee5efa8b5cd84ed1e8d2e2

SHA512
0d0d79f1733a2a6b416715c27044d04893f6206540286457f6678bda3f71015304fbf6c5c1407bbdb550657f61da4b83913eb93dbfff2518984c6ef602bd936b

Download Submit
memory/592-133-0x0000000000000000-mapping.dmp

Download
memory/1380-122-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1380-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1380-120-0x0000000000414E6E-mapping.dmp

Download
memory/2780-123-0x0000000000000000-mapping.dmp

Download
memory/3672-140-0x0000000000414E6E-mapping.dmp

Download
memory/3672-142-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/3936-121-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4080-126-0x0000000000570000-0x000000000058A000-memory.dmp

Filesize
104KB

Download
memory/4080-131-0x0000000000584E6E-mapping.dmp

Download
memory/4080-132-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads