njrat | 5ac858d76e8ff1f69dc3cc87f6fe63c705e73b91141468c2959aebaebeeeb5ed

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 04:08

Target

bEG2.exe
Size

23KB
MD5

c84b5aa41ceb238a9b328e4521c2903d
SHA1

6f75576e35f98544a7b938015a74498700aaacef
SHA256

5ac858d76e8ff1f69dc3cc87f6fe63c705e73b91141468c2959aebaebeeeb5ed
SHA512

0be8b058c02fe9429d5a742c859d4bf6b8f0a3fa78916d4be505d20e1a9eeb2e0f58a6aa3f7ea7d5b103465e3bd061ae21a7b30f27a48bdccc5b7a4bce2107e2
SSDEEP

384:ZweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZTH:eLq411eRpcnuk

Score

10^/10

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3304 netsh.exe

pid	process
3304	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

bEG2.exe

description	pid	process
Token: SeDebugPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe
Token: 33	4444	bEG2.exe
Token: SeIncBasePriorityPrivilege	4444	bEG2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bEG2.exe

description	pid	process	target process
PID 4444 wrote to memory of 3304	4444	bEG2.exe	netsh.exe
PID 4444 wrote to memory of 3304	4444	bEG2.exe	netsh.exe
PID 4444 wrote to memory of 3304	4444	bEG2.exe	netsh.exe

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bEG2.exe" "bEG2.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3304

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/3304-133-0x0000000000000000-mapping.dmp

Download
memory/4444-132-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4444-134-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download