njrat | 36702a02201cea4b0f0096758491fb058ef8d9a84d98bf93db3101ee1050276f

General

Target

36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Size

22KB
MD5

f3d01e4949038741366e368d190fb95a
SHA1

94ae951d78c1cc28a698b770839272d22b1d56f2
SHA256

36702a02201cea4b0f0096758491fb058ef8d9a84d98bf93db3101ee1050276f
SHA512

9a40115f50bd6e493c729b78df9af601428f29fa9b2bf101ff51100e4d0890e8104c7ae766472fa08a86db5b7f72f1b64656362a90f4a46db5f63b9105c172bb

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdcxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe"	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe

description	pid	process
Token: SeDebugPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: 33	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
Token: SeIncBasePriorityPrivilege	600	36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe

C:\Users\Admin\AppData\Local\Temp\36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe
"C:\Users\Admin\AppData\Local\Temp\36702A02201CEA4B0F0096758491FB058EF8D9A84D98B.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-55-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

Filesize
8KB

Download
memory/600-54-0x000007FEF2830000-0x000007FEF38C6000-memory.dmp

Filesize
16.6MB

Download
memory/600-56-0x0000000000AE6000-0x0000000000B05000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing