njrat | 3099206cb7db28552e5614d387e390516eb193259b400c2f6c9197e3d509b592

Resubmissions

04/01/2023, 16:49

230104-vbm8racc4z 10

04/01/2023, 12:54

230104-p49pkaff72 10

Analysis

max time kernel
9s
max time network
23s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/01/2023, 16:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bI5I.exe
Size

25KB
MD5

6e09d0b1cab55f424bfe35bc8506b731
SHA1

96686edf4bcc7b9d6a4f2fc4d4090f636291b13a
SHA256

3099206cb7db28552e5614d387e390516eb193259b400c2f6c9197e3d509b592
SHA512

f8e3a93cb5651641b61528b59d05a6e4645eb8db236dd220856cd96aef89c3334fed336b38e42f6dc38e2f67f344cb985fa516a9436394901eeac2f41fc51d53
SSDEEP

384:eLhzkaJcPknNlxlehKNOYUikkdIVYlvM3iY2OzRLTm3yilqq6xpBtVvZ:IK0cu3reOELGlvqisFBVvZ

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

0.7d By Pjoao1578

Botnet

HacKed

https://pastebin.com/raw/H9hfZYSE:7000

Mutex

6a2634340fbf8a0a2c038c6263d49fd1

Attributes

reg_key
6a2634340fbf8a0a2c038c6263d49fd1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	bI5I.exe
Token: 33	1496	bI5I.exe
Token: SeIncBasePriorityPrivilege	1496	bI5I.exe

C:\Users\Admin\AppData\Local\Temp\bI5I.exe
"C:\Users\Admin\AppData\Local\Temp\bI5I.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control