njrat | bf05a3947e7a4140b43547581564d04991f0c339a7ac35bcb2c7bb93f7b7ae1e

Analysis

max time kernel
145s
max time network
138s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-12-2021 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a65eec0b9da0cc90e1254ba7594a6291.exe
Size

1012KB
MD5

a65eec0b9da0cc90e1254ba7594a6291
SHA1

0692268e96272c0b0e25eb6e337fc086c7f4bda2
SHA256

bf05a3947e7a4140b43547581564d04991f0c339a7ac35bcb2c7bb93f7b7ae1e
SHA512

48464c59a7eadffbedec8a95a1fc4a0f42d3f10928e8394abefa629bd70d0a41816f3850c8e14f9c3c870f0cc56dee1c319b0290f5a78c5e4791960946c939bd

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

milla.publicvm.com:5050

Mutex

c0dd26caedd

Attributes

reg_key
c0dd26caedd
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

a65eec0b9da0cc90e1254ba7594a6291.exe

description	pid	process
Token: SeDebugPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe

C:\Users\Admin\AppData\Local\Temp\a65eec0b9da0cc90e1254ba7594a6291.exe
"C:\Users\Admin\AppData\Local\Temp\a65eec0b9da0cc90e1254ba7594a6291.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-55-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1656-57-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1656-58-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1656-59-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download