njrat | b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a

General

Target

b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe
Size

78KB
MD5

6bfc893d8c55135991684d2a1f22a870
SHA1

8547449eda6fe1e3ffb436ff1376b6300a3ffbfb
SHA256

b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a
SHA512

c8bcd2b259432c6d4eab48d7266538ea975ec6f4245b99906b5e5d33a2cbd810b67866b675cdc1da91b4e3dee24edaee824cecccb9981e1061ffe6720d1a81c1
SSDEEP

1536:qpye12WOmLwbCNwys6DGY9cabWdsbAwF6TQuLMmeQSdRmZv1V:qpye12KwUfDoabWYBF6JLMm/Sdw1V

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
1316	TempAVG.exe
896	AVG.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1780	netsh.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe
1316	TempAVG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe
896	AVG.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	AVG.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1316	1520	b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe	27
PID 1520 wrote to memory of 1316	1520	b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe	27
PID 1520 wrote to memory of 1316	1520	b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe	27
PID 1520 wrote to memory of 1316	1520	b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe	27
PID 1316 wrote to memory of 896	1316	TempAVG.exe	28
PID 1316 wrote to memory of 896	1316	TempAVG.exe	28
PID 1316 wrote to memory of 896	1316	TempAVG.exe	28
PID 1316 wrote to memory of 896	1316	TempAVG.exe	28
PID 896 wrote to memory of 1780	896	AVG.exe	29
PID 896 wrote to memory of 1780	896	AVG.exe	29
PID 896 wrote to memory of 1780	896	AVG.exe	29
PID 896 wrote to memory of 1780	896	AVG.exe	29

C:\Users\Admin\AppData\Local\Temp\b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe
"C:\Users\Admin\AppData\Local\Temp\b42314c9cd1826c4ed8daa6aa8449023295ea3617765c7a01c142602817f459a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\TempAVG.exe
  "C:\Users\Admin\AppData\Local\TempAVG.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\AVG.exe
    "C:\Users\Admin\AppData\Local\Temp\AVG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AVG.exe" "AVG.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAVG.exe

Filesize
28KB

MD5
022c8c1248e87704f021aab0e9a4954b

SHA1
f033802a8d4c3144214ebcfa0224834149f9389f

SHA256
501e1d5b1c2b8e7b2ef51ea5b0485862e23858f781b0d271ff9a8ad3453a0956

SHA512
b1e434553dd0ddd1a1196a74b45f2bcbfd0a3d956200d368e202f0d8ab0f6a255089518b6456a457291fbf52385060b24ecdd56fac6e5be33e88298e505f9808

Download Submit
C:\Users\Admin\AppData\Local\TempAVG.exe

Filesize
28KB

MD5
022c8c1248e87704f021aab0e9a4954b

SHA1
f033802a8d4c3144214ebcfa0224834149f9389f

SHA256
501e1d5b1c2b8e7b2ef51ea5b0485862e23858f781b0d271ff9a8ad3453a0956

SHA512
b1e434553dd0ddd1a1196a74b45f2bcbfd0a3d956200d368e202f0d8ab0f6a255089518b6456a457291fbf52385060b24ecdd56fac6e5be33e88298e505f9808

Download Submit
C:\Users\Admin\AppData\Local\Temp\AVG.exe

Filesize
28KB

MD5
022c8c1248e87704f021aab0e9a4954b

SHA1
f033802a8d4c3144214ebcfa0224834149f9389f

SHA256
501e1d5b1c2b8e7b2ef51ea5b0485862e23858f781b0d271ff9a8ad3453a0956

SHA512
b1e434553dd0ddd1a1196a74b45f2bcbfd0a3d956200d368e202f0d8ab0f6a255089518b6456a457291fbf52385060b24ecdd56fac6e5be33e88298e505f9808

Download Submit
C:\Users\Admin\AppData\Local\Temp\AVG.exe

Filesize
28KB

MD5
022c8c1248e87704f021aab0e9a4954b

SHA1
f033802a8d4c3144214ebcfa0224834149f9389f

SHA256
501e1d5b1c2b8e7b2ef51ea5b0485862e23858f781b0d271ff9a8ad3453a0956

SHA512
b1e434553dd0ddd1a1196a74b45f2bcbfd0a3d956200d368e202f0d8ab0f6a255089518b6456a457291fbf52385060b24ecdd56fac6e5be33e88298e505f9808

Download Submit
\Users\Admin\AppData\Local\TempAVG.exe

Filesize
28KB

MD5
022c8c1248e87704f021aab0e9a4954b

SHA1
f033802a8d4c3144214ebcfa0224834149f9389f

SHA256
501e1d5b1c2b8e7b2ef51ea5b0485862e23858f781b0d271ff9a8ad3453a0956

SHA512
b1e434553dd0ddd1a1196a74b45f2bcbfd0a3d956200d368e202f0d8ab0f6a255089518b6456a457291fbf52385060b24ecdd56fac6e5be33e88298e505f9808

Download Submit
\Users\Admin\AppData\Local\Temp\AVG.exe

Filesize
28KB

MD5
022c8c1248e87704f021aab0e9a4954b

SHA1
f033802a8d4c3144214ebcfa0224834149f9389f

SHA256
501e1d5b1c2b8e7b2ef51ea5b0485862e23858f781b0d271ff9a8ad3453a0956

SHA512
b1e434553dd0ddd1a1196a74b45f2bcbfd0a3d956200d368e202f0d8ab0f6a255089518b6456a457291fbf52385060b24ecdd56fac6e5be33e88298e505f9808

Download Submit
memory/896-70-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/896-71-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1316-68-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-54-0x0000000001390000-0x00000000013AA000-memory.dmp

Filesize
104KB

Download
memory/1520-56-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1520-55-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing