njrat | 6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436

General

Target

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe
Size

264KB
MD5

695c5d19dc3c3c5cc39182e09d9274e6
SHA1

bc0aa3fce44b7d252919d820860709a0052cb76c
SHA256

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436
SHA512

a20bf0b073c43f55f9a8797e093422b2aea58949fa23e625e20ce9786421c120253cd4f988aa3b2f877d9cc7f6c472e8daabe58489d7b7ea2bec5c339e855e4b

Score

10^/10

njrat zalupa180417 evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

zalupa180417

C2

808080.ddns.net:5555

Mutex

4cb72bb7475074f5af41f3e5e189ee3f

Attributes

reg_key
4cb72bb7475074f5af41f3e5e189ee3f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe

description	pid	process	target process
PID 1680 set thread context of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe

pid	process
1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe
1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe
Token: SeDebugPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe
Token: 33	792	RegAsm.exe
Token: SeIncBasePriorityPrivilege	792	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exeRegAsm.exe

description	pid	process	target process
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 1680 wrote to memory of 792	1680	6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe	RegAsm.exe
PID 792 wrote to memory of 1180	792	RegAsm.exe	netsh.exe
PID 792 wrote to memory of 1180	792	RegAsm.exe	netsh.exe
PID 792 wrote to memory of 1180	792	RegAsm.exe	netsh.exe
PID 792 wrote to memory of 1180	792	RegAsm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe
"C:\Users\Admin\AppData\Local\Temp\6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
3⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-57-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/792-58-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/792-59-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/792-60-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/792-62-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/792-68-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/792-65-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/792-70-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1680-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1680-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1680-56-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads