njrat | aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf

General

Target

aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Size

160KB
MD5

780d1cd0f9a43ccbae19271e83ccfc54
SHA1

68ebef0b3a89c3ebbb3fddc33a610ab6ad4b14d9
SHA256

aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf
SHA512

6234d509b259000a465a2ba75664bdedcd9906e9aaee87d72447ada39a3004ee882aa2e3efeecdec112bc5b880027f053a3f691e48f7e5d832adeb84e4dd0ed2

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe

description	pid	process
Token: SeDebugPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: 33	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
Token: SeIncBasePriorityPrivilege	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe

description	pid	process	target process
PID 1404 wrote to memory of 1072	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe	netsh.exe
PID 1404 wrote to memory of 1072	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe	netsh.exe
PID 1404 wrote to memory of 1072	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe	netsh.exe
PID 1404 wrote to memory of 1072	1404	aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe
"C:\Users\Admin\AppData\Local\Temp\aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe" "aa4a6b78c9d23c605652f32644832f9a763d734f934aafc94993c6c6fb05bfaf.exe" ENABLE
  2⤵
  PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1404-56-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing