Overview

overview

10

Static

static

498fd1c4cb...4e.exe

windows7_x64

5

498fd1c4cb...4e.exe

windows10_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    170s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe

  • Size

    170KB

  • MD5

    e0a5d9e9cf600b37eb836aee07906566

  • SHA1

    583aebb976132afd18dd32ed46e14f58eb0ae1b9

  • SHA256

    498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e

  • SHA512

    3544a290acab84a485770ed336b10ca8697b64356d80923533ea5f5c7c27912ff30ef181f67bce761cb366719e3073d98715cd00db72058e38ae4e592269c7af

Score
10/10
njratupload c.d.tevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Upload C.D.T

C2

office365update.duckdns.org:2000

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes
  • reg_key

    5cd8f17f4086744065eb0992a09e05a2

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe
    "C:\Users\Admin\AppData\Local\Temp\498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe
      C:\Users\Admin\AppData\Local\Temp\498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe" "498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe" ENABLE
        3⤵
          PID:1648

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\498fd1c4cb16f39974555d6e596fcea6c7da73f9f0f30f57fdc8177fc3feaa4e.exe.log
      MD5

      c1dc5719caf5879564bcb85d01a602c4

      SHA1

      2123996c14ddffa7914ad14f2823b958898971e7

      SHA256

      9332f0cc4c7485e3985300fd7d78c9e07b32ae0cc165364cd53774ef8235ecec

      SHA512

      b893e0e8cd217ef2457cf5080b7d5f21d21dd71a900a720fc293c1c975aaa3edc4aec1b9da494f204b868bb6920097cedf300b70fd5b43dec14efcebbf06798e

      Download Submit

    • memory/2940-118-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3672-119-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3672-121-0x0000000002800000-0x0000000002801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3672-122-0x0000000002803000-0x0000000002805000-memory.dmp

      Filesize

      8KB

      Download