njrat | e9f4c7190ff6c34f036720e246c62e26688f13ed3553f50a17d180a576dbf341

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2022 17:08

Target

bElw.exe
Size

23KB
MD5

7a4e65e91ae78468194bad4f8f2bc0f3
SHA1

35d151673768d4b8c6c54dafe93db450a546b56d
SHA256

e9f4c7190ff6c34f036720e246c62e26688f13ed3553f50a17d180a576dbf341
SHA512

b9e8d9899c6ba752473ffad41f21dbe60c4f7feec7c028725088a27570474b9486410e221cc58562ce6db9abe64fd95871e2237b8a82b1ecc6fd739d57042bda

Score

10^/10

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4920 netsh.exe

pid	process
4920	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

bElw.exe

description	pid	process
Token: SeDebugPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe
Token: 33	2668	bElw.exe
Token: SeIncBasePriorityPrivilege	2668	bElw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bElw.exe

description	pid	process	target process
PID 2668 wrote to memory of 4920	2668	bElw.exe	netsh.exe
PID 2668 wrote to memory of 4920	2668	bElw.exe	netsh.exe
PID 2668 wrote to memory of 4920	2668	bElw.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bElw.exe" "bElw.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4920

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/2668-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/2668-134-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-133-0x0000000000000000-mapping.dmp

Download