njrat | f8273bb883ff7a73e822a067d5459f0c0340d6d1615d4adee46ef12dd673b77b

General

Target

60cbf379417e56390753d9c9482b6cdc.exe
Size

31KB
MD5

60cbf379417e56390753d9c9482b6cdc
SHA1

33e882b9261c7a286d94490846e1ffa26568f28e
SHA256

f8273bb883ff7a73e822a067d5459f0c0340d6d1615d4adee46ef12dd673b77b
SHA512

ac47ef97ec1cea485beb0b91713b248c3f4b63c28d94de2b0d44f163523c55e4fca3ff62636d717de6a903fc109ab91bc0966644a41fe19465c4bcbfb615c20b

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

60cbf379417e56390753d9c9482b6cdc.exe

description	pid	process
Token: SeDebugPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: 33	3780	60cbf379417e56390753d9c9482b6cdc.exe
Token: SeIncBasePriorityPrivilege	3780	60cbf379417e56390753d9c9482b6cdc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

60cbf379417e56390753d9c9482b6cdc.exe

description	pid	process	target process
PID 3780 wrote to memory of 4224	3780	60cbf379417e56390753d9c9482b6cdc.exe	netsh.exe
PID 3780 wrote to memory of 4224	3780	60cbf379417e56390753d9c9482b6cdc.exe	netsh.exe
PID 3780 wrote to memory of 4224	3780	60cbf379417e56390753d9c9482b6cdc.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\60cbf379417e56390753d9c9482b6cdc.exe
"C:\Users\Admin\AppData\Local\Temp\60cbf379417e56390753d9c9482b6cdc.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\60cbf379417e56390753d9c9482b6cdc.exe" "60cbf379417e56390753d9c9482b6cdc.exe" ENABLE
2⤵
PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3780-115-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4224-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing