njrat | b5a11b8a198e261609192e65ad1ef746cd2a87b1b94d99d6fb562c2437471303

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2022 02:08

Target

bEiR.exe
Size

23KB
MD5

b4355ec0815354965333f61ef03df0b4
SHA1

a7ec0778d34b932de187d90c92e3af10b31088a2
SHA256

b5a11b8a198e261609192e65ad1ef746cd2a87b1b94d99d6fb562c2437471303
SHA512

6e43e7a33fb0e16999d48938fbc229cfc7367570f391a876be0df07df16f1038e118c59b7b68a767fb8bf9086dd1d620dca58e0b23e221842909f671ac047c99

Score

10^/10

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4588 netsh.exe

pid	process
4588	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

bEiR.exe

description	pid	process
Token: SeDebugPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe
Token: 33	3516	bEiR.exe
Token: SeIncBasePriorityPrivilege	3516	bEiR.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bEiR.exe

description	pid	process	target process
PID 3516 wrote to memory of 4588	3516	bEiR.exe	netsh.exe
PID 3516 wrote to memory of 4588	3516	bEiR.exe	netsh.exe
PID 3516 wrote to memory of 4588	3516	bEiR.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bEiR.exe" "bEiR.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4588

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/3516-132-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/3516-134-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/4588-133-0x0000000000000000-mapping.dmp

Download