njrat | ef9c82bb0f96b6266672941cce875b59d431c7f3af89901a8c23ee813293823d

General

Target

705f67dccd4c352a37b7eb04293f3e4c.exe
Size

31KB
MD5

705f67dccd4c352a37b7eb04293f3e4c
SHA1

1c5f8403e9ac0874e3f75f8b038b2f1b4ac7e64e
SHA256

ef9c82bb0f96b6266672941cce875b59d431c7f3af89901a8c23ee813293823d
SHA512

c1df9719ffde323313c014a23bcb4ebb921b179669768ce2a63e6ea2de10e946bee1e268c4196dce07e50c9f3b8efa72a92e13055d71e57931ab8acfb2fac19f

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

705f67dccd4c352a37b7eb04293f3e4c.exe

description	pid	process
Token: SeDebugPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: 33	2144	705f67dccd4c352a37b7eb04293f3e4c.exe
Token: SeIncBasePriorityPrivilege	2144	705f67dccd4c352a37b7eb04293f3e4c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

705f67dccd4c352a37b7eb04293f3e4c.exe

description	pid	process	target process
PID 2144 wrote to memory of 3448	2144	705f67dccd4c352a37b7eb04293f3e4c.exe	netsh.exe
PID 2144 wrote to memory of 3448	2144	705f67dccd4c352a37b7eb04293f3e4c.exe	netsh.exe
PID 2144 wrote to memory of 3448	2144	705f67dccd4c352a37b7eb04293f3e4c.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\705f67dccd4c352a37b7eb04293f3e4c.exe
"C:\Users\Admin\AppData\Local\Temp\705f67dccd4c352a37b7eb04293f3e4c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\705f67dccd4c352a37b7eb04293f3e4c.exe" "705f67dccd4c352a37b7eb04293f3e4c.exe" ENABLE
2⤵
PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-115-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/3448-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing