njrat | dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e

General

Target

dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe
Size

275KB
MD5

6ec21f506d9b403b147d9fe40ca7ebd3
SHA1

455db25e659fa157b0ce4cdcdc32c865b2f6b1e2
SHA256

dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e
SHA512

72d34c4b2517a6d709bb2c710bf54f9974b692c86fcf178749b2357dcc3b257bad86e3f1cec8ea1fed8871adac56ac48d8cecba3bfcef49a094fd40e29e10992

Score

10^/10

njrat lime trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

kornporp.duckdns.org:6699

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
luffy

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe

description	pid	process	target process
PID 1840 set thread context of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

1176 Powershell.exe

pid	process
1176	Powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exePowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe
Token: SeDebugPrivilege	1176	Powershell.exe
Token: SeDebugPrivilege	1440	InstallUtil.exe
Token: 33	1440	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1440	InstallUtil.exe
Token: 33	1440	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1440	InstallUtil.exe
Token: 33	1440	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1440	InstallUtil.exe
Token: 33	1440	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1440	InstallUtil.exe
Token: 33	1440	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1440	InstallUtil.exe
Token: 33	1440	InstallUtil.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe

description	pid	process	target process
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1440	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	InstallUtil.exe
PID 1840 wrote to memory of 1176	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	Powershell.exe
PID 1840 wrote to memory of 1176	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	Powershell.exe
PID 1840 wrote to memory of 1176	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	Powershell.exe
PID 1840 wrote to memory of 1176	1840	dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe	Powershell.exe

C:\Users\Admin\AppData\Local\Temp\dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe
"C:\Users\Admin\AppData\Local\Temp\dc8bfeafe82d1216850834deb12cf331e7920dff641d652d3a0652c9d32cf09e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mapeosql\Mapeosql.exe"'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-67-0x0000000000000000-mapping.dmp

Download
memory/1176-70-0x0000000070E70000-0x000000007141B000-memory.dmp

Filesize
5.7MB

Download
memory/1440-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1440-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1440-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1440-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1440-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1440-63-0x0000000000414E4E-mapping.dmp

Download
memory/1440-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1440-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1840-54-0x0000000000E20000-0x0000000000E6A000-memory.dmp

Filesize
296KB

Download
memory/1840-56-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1840-55-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads