njrat | b7f5245002784627da1996be95b0e18abd73df0da01cbb268e39c5d39f04f4e8

General

Target

tmp/603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Size

23KB
MD5

558d83545b3096f901e84dd00bccd9e8
SHA1

f8a62eb35a55307eaea56a4d689b1d9e68e303ea
SHA256

b7f5245002784627da1996be95b0e18abd73df0da01cbb268e39c5d39f04f4e8
SHA512

af4bcdb32071d2aef39fbe71f54466af07eb788ba9494af7f7937c93ac77cf341465bb733a0ba587f12606dc4c114d81293ae287f2041c8df0c3539bb3ce857d

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe

description	pid	process
Token: SeDebugPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: 33	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
Token: SeIncBasePriorityPrivilege	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe

description	pid	process	target process
PID 1796 wrote to memory of 520	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe	netsh.exe
PID 1796 wrote to memory of 520	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe	netsh.exe
PID 1796 wrote to memory of 520	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe	netsh.exe
PID 1796 wrote to memory of 520	1796	603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\tmp\603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp\603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe" "603fc39a-a94f-4607-a68c-cdfe8e403c95_1643.exe" ENABLE
2⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-55-0x0000000000000000-mapping.dmp

Download
memory/1796-53-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download
memory/1796-54-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing