Overview

overview

10

Static

static

6bb3c42d9e...39.exe

windows7_x64

10

6bb3c42d9e...39.exe

windows10_x64

5

Analysis

  • max time kernel
    151s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    29-01-2022 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39.exe

  • Size

    169KB

  • MD5

    d3c8ecf591381b31d3aa796471b5b0f1

  • SHA1

    efb8b908c614ef0dc791e53ad579485bc6f5e33b

  • SHA256

    6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39

  • SHA512

    a49d1bef7ae6e40809efe3055a78ef5d2b8c8ecbafc4499c834c80c4ad7cd1aa839e9a0914902e86b1307324b4b3d8c5f097a741ec598f1a8dd333276d54748a

Score
10/10
njrathackedevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hackteam1.spdns.de:448

Mutex

ee43fb1332f52f77309d2a27f7deccfc

Attributes
  • reg_key

    ee43fb1332f52f77309d2a27f7deccfc

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39.exe
    "C:\Users\Admin\AppData\Local\Temp\6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Local\Temp\6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39.exe
      C:\Users\Admin\AppData\Local\Temp\6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39.exe" "6bb3c42d9ed6d25bd82fa8568cee962b6e10edddc38bc5273e97e5128872ae39.exe" ENABLE
        3⤵
          PID:668

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/668-57-0x0000000076911000-0x0000000076913000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1508-54-0x0000000000380000-0x00000000003B2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1912-55-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1912-56-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1912-58-0x0000000000420000-0x0000000000421000-memory.dmp
      Filesize

      4KB

      Download