Overview

overview

10

Static

static

996570A4F2...F4.exe

windows7_x64

10

996570A4F2...F4.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    02-11-2021 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    996570A4F29509E3C74AA361E578F59001460810064F4.exe

  • Size

    73KB

  • MD5

    7de9b1373f7e080121792869b172c537

  • SHA1

    452f18d117ca728604b660f30aaafcd4f0c217f9

  • SHA256

    996570a4f29509e3c74aa361e578f59001460810064f4a81be520e18291d56ab

  • SHA512

    ae50753118eed6328e1c425ae8545034c9d782867eb8bd3d9a828309b7b19c6134cae2f2e0f44def4a0dc50f3eca743a2e6ffbf8a5287203aaf22050568b1d9a

Score
10/10
njrat04040404evasionsuricatatrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

04040404

C2

soportes.duckdns.org:2023

Mutex

28a056e3673b28a4055fb90e48d147ab

Attributes
  • reg_key

    28a056e3673b28a4055fb90e48d147ab

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe
    "C:\Users\Admin\AppData\Local\Temp\996570A4F29509E3C74AA361E578F59001460810064F4.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF6F.tmp" "c:\Users\Admin\AppData\Local\Temp\btmvnqdl\CSC7B0F5140F9BE44439961848E6FE07521.TMP"
        3⤵
          PID:1432
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:360
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
          3⤵
            PID:1652

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESCF6F.tmp
        MD5

        e64289f68797cf8c4e2ae4f697ffde40

        SHA1

        d4017cc20449dced815458ddb1fe1f9c62952c74

        SHA256

        c52b1774e6918813fff5214fcd2388ee8a7b0436d0cf5ef956febcea723d42e3

        SHA512

        d1639da2642779f608b244f3723441cb297807d287c2d0fda16ecc94970feb82cc4c7b35606ee185280c780669bc68cd8071d6cf973b044dbe2853409f8d7843

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.dll
        MD5

        109f8eef46248643d1be3f204524f22c

        SHA1

        9d538a70ec27e0b0014f386e3ea1c7b02bac256f

        SHA256

        abd777448d5ec6a05d5c07faf6e3f4de14865cebdb3b6255387bf45ff9702494

        SHA512

        7cc6f66fb13e9b2da5c017d626399a04e59d8e498d5361d6a3c317fe1dad0d6981b63b6c8ae2fe6900449fcfa8703fee50cfc58f9ae7185e035bb10fe5700c95

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.pdb
        MD5

        727f35a97615c80766b6bf11f9d88dcd

        SHA1

        131c1282fdd18e992de6b796d573563c0e29c5ab

        SHA256

        922d95764c87936f8c3e9485cfbbb3f986abee43e8cc3d5e0e76809196aa1029

        SHA512

        125ea6d3f729eacebb8e90138d1b5ff7b44dcfef71dd9602640962a3a3b650db9ab40792fd12c31b9e699313ee5138b6e8041d2d711029d1e1467bb7f8c4fd78

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\btmvnqdl\CSC7B0F5140F9BE44439961848E6FE07521.TMP
        MD5

        676287dbbda00e632bd85a304a36e046

        SHA1

        7333ed846ecf4dd7b1ec70858c835539f12c66b8

        SHA256

        c9a1539959180ea9ab052e884fabff72c339d727971d412cf72275ee871a7cda

        SHA512

        6aa0afc4fe2f35541a86f83bfee7c8d496443794e1d81c0804d764083f0929e31348d9cbe6e5e24569a7d00f6b9698d4cc6644f993e8186add2a5133ff8c94e6

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.0.cs
        MD5

        43843ea478ecc41b366642a2d6a65de7

        SHA1

        302951dfb877c63bf428a24f52de4e22a7176373

        SHA256

        daf0b1fff1975fa6a4acb4cab65191e922585d90e09a7ab5215a15f1b4089d57

        SHA512

        0d1f3ab2c4c8b21ef47ccf01be72c2c2cc07f1a2c5650cc85aaa51be32b8959739d13a2e9fe4454ca3a8759fdf9b836514cf80ca09fa323e8228fbd47cb72e61

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\btmvnqdl\btmvnqdl.cmdline
        MD5

        099ab0e9905de1ff543e9db3ad7ff867

        SHA1

        368424425ad8ff5b1bc0a9479bc48dfa6ecc0896

        SHA256

        f462e4ff1abf5198aed405cd556cc85bb1aa97dbb3e99817716fe4091404bea6

        SHA512

        234c26f3af4426786515368366c19057487d905a073e3c26bb3ccaad9f3737d7aa81ec35af10da418275b423d8d5c095159143e8ff7051b2701993c322a70863

        Download Submit
      • memory/360-75-0x000000000040748E-mapping.dmp
        Download
      • memory/360-77-0x0000000000790000-0x0000000000791000-memory.dmp
        Filesize

        4KB

        Download
      • memory/360-76-0x0000000075321000-0x0000000075323000-memory.dmp
        Filesize

        8KB

        Download
      • memory/360-72-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/360-74-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/360-70-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/360-71-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/360-73-0x0000000000400000-0x000000000040C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1132-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1432-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1652-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1772-61-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1772-69-0x00000000009C0000-0x00000000009C6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1772-68-0x0000000000670000-0x0000000000676000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1772-67-0x0000000000410000-0x0000000000420000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1772-66-0x0000000000390000-0x0000000000392000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1772-55-0x0000000001140000-0x0000000001141000-memory.dmp
        Filesize

        4KB

        Download