njrat | aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423

General

Target

aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Size

991KB
MD5

71cf0b826a586a2c77eacfde791ec14e
SHA1

349a63989b801e1b9dee0960040ef7def96e28f6
SHA256

aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423
SHA512

eb7f487097dea3d90740bcb7751ea581a03a76c3e335a931515e3f66f7db94877587872a2bf385ee8d926283feee4ce151cdba22a77abcb3daa2ead0199d7171

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

septiembre2.duckdns.org:6633

Mutex

a2951ca84e184

Attributes

reg_key
a2951ca84e184
splitter
@!#&^%$

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/500-138-0x0000000005300000-0x00000000057FE000-memory.dmp	disable_win_def

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

description	pid	process	target process
PID 3472 set thread context of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

pid	process
3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exeaae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

description	pid	process
Token: SeDebugPrivilege	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeDebugPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: 33	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
Token: SeIncBasePriorityPrivilege	500	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

pid	process
3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

description	pid	process	target process
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
PID 3472 wrote to memory of 500	3472	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe	aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe

C:\Users\Admin\AppData\Local\Temp\aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
"C:\Users\Admin\AppData\Local\Temp\aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aae4a82e65e47dc719affd7bebb7cc9ce1095fefeb3039947c1375688f2a4423.exe.log
MD5
e66606ac29605c55484b2e0f9ee4a447

SHA1
4e226b60592e1addafae55034137ea8d5d0fb113

SHA256
51ea67e4068c37a73d878dfda2e9475e7ecb01ea5c422b13b71459db2d0942e9

SHA512
038139d200ba48d82a462dee57bab1dd0ca6d8180e20aef72b5d079c6010ce8d1041fbb49084e54deb205bcb9bf7ae92c6b6a0256908b48d08e5043e2148799b

Download Submit
memory/500-130-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/500-140-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/500-138-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/500-131-0x000000000040676E-mapping.dmp

Download
memory/3472-125-0x0000000000FB5000-0x0000000000FB7000-memory.dmp

Filesize
8KB

Download
memory/3472-128-0x0000000008190000-0x00000000081EC000-memory.dmp

Filesize
368KB

Download
memory/3472-123-0x0000000000FB1000-0x0000000000FB2000-memory.dmp

Filesize
4KB

Download
memory/3472-115-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3472-124-0x0000000000FB2000-0x0000000000FB3000-memory.dmp

Filesize
4KB

Download
memory/3472-126-0x0000000006020000-0x000000000602E000-memory.dmp

Filesize
56KB

Download
memory/3472-127-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/3472-122-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3472-129-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/3472-121-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3472-120-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3472-119-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3472-118-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/3472-117-0x0000000004DF0000-0x0000000004E21000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads