Overview

overview

10

Static

static

996570A4F2...F4.exe

windows7_x64

10

996570A4F2...F4.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    02-11-2021 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    996570A4F29509E3C74AA361E578F59001460810064F4.exe

  • Size

    73KB

  • MD5

    7de9b1373f7e080121792869b172c537

  • SHA1

    452f18d117ca728604b660f30aaafcd4f0c217f9

  • SHA256

    996570a4f29509e3c74aa361e578f59001460810064f4a81be520e18291d56ab

  • SHA512

    ae50753118eed6328e1c425ae8545034c9d782867eb8bd3d9a828309b7b19c6134cae2f2e0f44def4a0dc50f3eca743a2e6ffbf8a5287203aaf22050568b1d9a

Score
10/10
njrat04040404evasionsuricatatrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

04040404

C2

soportes.duckdns.org:2023

Mutex

28a056e3673b28a4055fb90e48d147ab

Attributes
  • reg_key

    28a056e3673b28a4055fb90e48d147ab

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe
    "C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2xox5s2k\2xox5s2k.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48C3.tmp" "c:\Users\Admin\AppData\Local\Temp\2xox5s2k\CSC7C1831E54ECD4F88B88FA2456537271.TMP"
        3⤵
          PID:604
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
          3⤵
            PID:1076

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2xox5s2k\2xox5s2k.dll
        MD5

        d2473f3b50307150997b1a124c54b299

        SHA1

        f71f14144e8fd1a4c01541d9089e22fcc3868e6f

        SHA256

        c921f3c72e367ec05a32212839b994acf7ab8fae1610fab6df3e2fd1dceee12f

        SHA512

        81672d13a42ba75d0a2342f8623d44a4b754df5a69a73d1dba3ae8fa8c3f5d7fc275daac22a78e9e15b6b687c7dcde012c9b95d290cc39986772c920b6b9813c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\2xox5s2k\2xox5s2k.pdb
        MD5

        bb7a6a7227341fdf2afc8462d3cc676f

        SHA1

        e71ee469f841c57622800f0c3270afe9ac58bbc9

        SHA256

        3ab30ad8d4ff0fd36c723ed103e04b5660919226e5d08283ba956c56698644bd

        SHA512

        7eb07705457898c37c30303bc22d800e35a6a16c08efdfd2cffb6fc0d3c93657852e3c36acf37345cec7d120b8a6929bea8835a61542ef7719ee91692f8ba066

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES48C3.tmp
        MD5

        f2af9959191ba457da6e0c1af3ae1bdd

        SHA1

        1d11a8e0b29f400cbbf63aa46b3872fdf2a8bc41

        SHA256

        09acffb0eff6523c47b0f2815f2dd6dc2c19d30353c23525d93ca919033b2163

        SHA512

        1517bd7041d10f51de2487c34b8e1b284f7beaabfcbd6c1927844b2a21f66c71b7304d275f539b81051ea6f3d170cec1676157705f8b35d9ede2be095ec19489

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\2xox5s2k\2xox5s2k.0.cs
        MD5

        43843ea478ecc41b366642a2d6a65de7

        SHA1

        302951dfb877c63bf428a24f52de4e22a7176373

        SHA256

        daf0b1fff1975fa6a4acb4cab65191e922585d90e09a7ab5215a15f1b4089d57

        SHA512

        0d1f3ab2c4c8b21ef47ccf01be72c2c2cc07f1a2c5650cc85aaa51be32b8959739d13a2e9fe4454ca3a8759fdf9b836514cf80ca09fa323e8228fbd47cb72e61

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\2xox5s2k\2xox5s2k.cmdline
        MD5

        eff141141eb64992c3b04fc1f0c23efb

        SHA1

        7cf4d1687786fc1f350262efeb056d5e0744358c

        SHA256

        4681a3a0955b5fa72d4c5dd97a1d60803b7508e49e40723ebf09a9aa1b65a7db

        SHA512

        fa6200ab448bca1ff2ca189a83bcaddafe5005d2ef94b413ff8d563644dfc43a591ffd8a2e01c2c14bf1d40edb4f023313e870104345b90d8fe6a0ac24983a8a

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\2xox5s2k\CSC7C1831E54ECD4F88B88FA2456537271.TMP
        MD5

        750ae3e0e4f5a317c184f297daa223ab

        SHA1

        7d926df6179e2bd46dc476e7939b383214010152

        SHA256

        c1ae1c73d3409b1b04c2424ef68e984bee00f6a4d6444522d170aa6ac2102d67

        SHA512

        2a53aa1d98cdf9b707bbd3c45656fea105157ee6e8bc37186d54c8961e97d13d446adee7803806d260e89017735a782725df7020af70bfe6842e39060149f80a

        Download Submit
      • memory/556-67-0x0000000000290000-0x0000000000296000-memory.dmp
        Filesize

        24KB

        Download
      • memory/556-56-0x0000000004E50000-0x0000000004E51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/556-68-0x0000000000740000-0x0000000000746000-memory.dmp
        Filesize

        24KB

        Download
      • memory/556-54-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/556-65-0x0000000000200000-0x0000000000202000-memory.dmp
        Filesize

        8KB

        Download
      • memory/556-66-0x0000000000280000-0x0000000000290000-memory.dmp
        Filesize

        64KB

        Download
      • memory/604-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1060-72-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1060-71-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1060-70-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1060-74-0x000000000040748E-mapping.dmp
        Download
      • memory/1060-73-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1060-69-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1060-75-0x0000000074B41000-0x0000000074B43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1060-76-0x0000000000820000-0x0000000000821000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1076-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1740-57-0x0000000000000000-mapping.dmp
        Download