Malware Analysis Report

2025-06-16 06:50

Sample ID 220921-rrv2ragea9
Target file.ps1
SHA256 334d41d1daf71550a19c4c241ab83af52c942da8b53e5ef55be61984050215e5
Tags
njrat nyan cat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

334d41d1daf71550a19c4c241ab83af52c942da8b53e5ef55be61984050215e5

Threat Level: Known bad

The file file.ps1 was found to be: Known bad.

Malicious Activity Summary

njrat nyan cat trojan

njRAT/Bladabindi

Blocklisted process makes network request

Drops startup file

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-21 14:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-21 14:26

Reported

2022-09-21 14:30

Platform

win7-20220812-en

Max time kernel

41s

Max time network

44s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 contadoreshbc.com udp
US 52.72.49.79:443 contadoreshbc.com tcp
US 52.72.49.79:443 contadoreshbc.com tcp

Files

memory/1996-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

memory/1996-55-0x000007FEF28F0000-0x000007FEF3313000-memory.dmp

memory/1996-56-0x000007FEF1D90000-0x000007FEF28ED000-memory.dmp

memory/1996-57-0x00000000023E4000-0x00000000023E7000-memory.dmp

memory/1996-58-0x00000000023EB000-0x000000000240A000-memory.dmp

memory/1996-59-0x00000000023E4000-0x00000000023E7000-memory.dmp

memory/1996-60-0x00000000023EB000-0x000000000240A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-21 14:26

Reported

2022-09-21 14:30

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

176s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1112 set thread context of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 3404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 1112 wrote to memory of 3404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1112 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3068 wrote to memory of 3512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 3512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 3512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Done.vbs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 contadoreshbc.com udp
US 52.72.49.79:443 contadoreshbc.com tcp
US 8.8.8.8:53 firebasestorage.googleapis.com udp
NL 142.250.179.202:443 firebasestorage.googleapis.com tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 schoolcrypter.com udp
US 52.72.49.79:443 schoolcrypter.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 envios000.duckdns.org udp
SE 46.246.84.3:7777 envios000.duckdns.org tcp
US 8.253.225.254:80 tcp
US 8.253.225.254:80 tcp
US 209.197.3.8:80 tcp
US 20.42.72.131:443 tcp

Files

memory/1112-132-0x000001E270290000-0x000001E2702B2000-memory.dmp

memory/1112-133-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

memory/3404-134-0x0000000000000000-mapping.dmp

memory/3404-135-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

memory/3068-136-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3068-137-0x000000000040677E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5a0a1671f3117ae81bc90e79eac37471
SHA1 e102d030a87a2d6243344b26344636e94ce13572
SHA256 228ede5639b6eeaab79ba585854e63b701147e30d8871c998208171e34d6747a
SHA512 f84a29cdc79a2788c2e2d95cc7f357661f60592a34095401b4ff585a05d08b2f6a22c38e72ecada6a88d3b1665c850719817bac9aa1e5dcdef61130779ecdbff

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/1112-140-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

memory/3068-141-0x00000000051A0000-0x000000000523C000-memory.dmp

memory/3068-142-0x00000000057F0000-0x0000000005D94000-memory.dmp

memory/3068-143-0x0000000005410000-0x00000000054A2000-memory.dmp

memory/3068-144-0x0000000005370000-0x000000000537A000-memory.dmp

memory/3404-145-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

memory/3068-146-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/3512-147-0x0000000000000000-mapping.dmp