njrat | 5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad

General

Target

5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Size

31KB
MD5

e8c14a47cc53dd86138391651a09a4c7
SHA1

5794068854ce62958b24b58ed87d1b5aedc2fd9d
SHA256

5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad
SHA512

7c0244e3b29cd0a36ab7c1a80da6d9898e3bf72bfa6814f37d130a4f03129e2e0c1873594ba46f487a5fcf28a57a9fb43d66fe8b67d91e045fdece0bc41b186e

Score

10^/10

njrat evasion suricata trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe

description	pid	process
Token: SeDebugPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: 33	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
Token: SeIncBasePriorityPrivilege	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe

description	pid	process	target process
PID 1932 wrote to memory of 4044	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe	netsh.exe
PID 1932 wrote to memory of 4044	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe	netsh.exe
PID 1932 wrote to memory of 4044	1932	5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe
"C:\Users\Admin\AppData\Local\Temp\5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe" "5710012c6323375e01de7eceb82944bd3d36943a1f74f27ba9d48b032a3080ad.exe" ENABLE
2⤵
PID:4044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-130-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/4044-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing