njrat | e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9

General

Target

e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Size

25KB
MD5

f59de44b51e940063ae0e918a64e5038
SHA1

85e2dc244271db156564009ed0cab7a1746626ad
SHA256

e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9
SHA512

2d10b0446f74d03c4813399fab386f6d2a3420a3a4f4dcbcd2d6f770aa24302a202faa450b34b9b64a1abaa238ba4bd9e7e5731bd7ccc81c36afba78f250ab36

Score

10^/10

njrat hacked suricata trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

0.tcp.ngrok.io:11485

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe

pid process

1868 e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe

pid	process
1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe

description	pid	process
Token: SeDebugPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: 33	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
Token: SeIncBasePriorityPrivilege	1868	e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe

C:\Users\Admin\AppData\Local\Temp\e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe
"C:\Users\Admin\AppData\Local\Temp\e0ac682aeb11e5f6edef9ee02bc9265baaa0f5895df6096a3534e866bd7cbea9.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-54-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/1868-55-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing