njrat | 0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c

Analysis

max time kernel
18s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
Size

222KB
MD5

3bf7caf61289891504b82a61e646f580
SHA1

b8205a7db4641c07bf3d5bb2addf3e03df52f707
SHA256

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c
SHA512

57f8904b3005517de9db78d2680499aa40960083de812805bf5b807fd694fe2b9a2a99f589c56a60f9eb9dcbb423b434dd042aec4fd514768b4fbe827136e851
SSDEEP

3072:bUN4EJaRilgqZqLYmDOZN/23Qp5oviiXpIv2U2y8J:2qilPOsN/2c5otX2v2U2

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

alimohamed90.no-ip.biz:7991

Mutex

03cfa1487a94d2b11760b77d3e3b04b3

Attributes

reg_key
03cfa1487a94d2b11760b77d3e3b04b3
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

description	pid	process	target process
PID 240 set thread context of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

description	pid	process
Token: SeDebugPrivilege	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
Token: 33	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
Token: SeIncBasePriorityPrivilege	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

description	pid	process	target process
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
PID 240 wrote to memory of 936	240	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe	0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe

C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
"C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
C:\Users\Admin\AppData\Local\Temp\0988bc6b04ac4c0f8475733199f1c1c18fcada9b972a906c3d80d62d6e7d343c.exe
2⤵
PID:936

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/240-55-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/240-58-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/936-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/936-57-0x0000000000408B0E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads