njrat | f41ef98c543024f81a9f443613eae6eb09de3c7a310b8794ecc9baec31999ca2

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f7685475c0912b4e9a794fa8eeff885.exe
Size

23KB
MD5

0f7685475c0912b4e9a794fa8eeff885
SHA1

92ea844bbbd0331df646c3cde3d73b37863df312
SHA256

f41ef98c543024f81a9f443613eae6eb09de3c7a310b8794ecc9baec31999ca2
SHA512

2c90bf5f13cdbfd33857f1f0d214b8ee537b3fca09fdbdae727eb45db1f97a5c59f738252cceb2d31fa517b7cd25053af8c8e35fe1cdcae3161d52d50961f929
SSDEEP

384:X8aLWS0dABLYVq6RxP8MDFF09vK563gRMmJKUv0mRvR6JZlbw8hqIusZzZ3l:sXcwt3tRpcnuW

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2832	netsh.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9024872F-D319-4BD1-908F-81D21724EBD8}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{19E75953-F434-4D03-B5B1-D1D1C84D1519}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: 33	4316	0f7685475c0912b4e9a794fa8eeff885.exe
Token: SeIncBasePriorityPrivilege	4316	0f7685475c0912b4e9a794fa8eeff885.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 2832	4316	0f7685475c0912b4e9a794fa8eeff885.exe	89
PID 4316 wrote to memory of 2832	4316	0f7685475c0912b4e9a794fa8eeff885.exe	89
PID 4316 wrote to memory of 2832	4316	0f7685475c0912b4e9a794fa8eeff885.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f7685475c0912b4e9a794fa8eeff885.exe
"C:\Users\Admin\AppData\Local\Temp\0f7685475c0912b4e9a794fa8eeff885.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0f7685475c0912b4e9a794fa8eeff885.exe" "0f7685475c0912b4e9a794fa8eeff885.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsu2B97.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuD5E3.tmp

Filesize
36KB

MD5
761388ca8095173f6963b1d23ad8a68b

SHA1
41e2693d0efc36cb0b97ea215d554932c46464ab

SHA256
369a2323cb569b44970884d5af3d70e38c9cfb59a54d929fabb51ba46593aa06

SHA512
2db4576927b4325dc51ce1755d55b00f7153a10424ca79fb7f32f8c92a5dec899c3961b44a15a129f1e5234b53a89c8946192703b88b10e70e86670e5831ebdf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
eb0453c63da750f3742d3bf53c681f6b

SHA1
9b2820e4513316fce585c5a50fda273fbe289889

SHA256
599a0b6eb00012cf9c641082d6415e1124a0e8107abeac7f56560719338e6664

SHA512
5ecee081dccd8c5ad489d169d3e6d5a898cdb9b389be2208d41f4c1546063c88c3c58c94f1aa3ede3602d59cb4f62fbad3029368b517f9ab203431f71b8fbd9c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
be9f02c0144ded48aa88f2d2bbb1057d

SHA1
cd36e6965cc6dbfc464e08734fa490015c1d7251

SHA256
90f373ebaceea005904d6f9b447f8e5541f492cc7118dbd3eb908faee998d4f3

SHA512
81eff55d59f22004e0de9eb0c273c73dc670810b58d5d26c62c2248ca4234c51c9e83f1ad861b6ec25cbd27d0fce5119c9cdd080f14a4e0aa7211f111bc8931a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a9533dd31f7d4610b5f6db91a99f3376

SHA1
7f5341b05209e55558bd73b27b3ef32bedb4952b

SHA256
b7770fdc42209c207369e7a5865e733c3bdb76a11646cd6e2c26eb1d5c202855

SHA512
44cca8903ad91375072f2535a294bc4551272c3b7d7ee33b339826e841eae894934455516700c90c8b1f7c32e2acc86a091905851d06018173d97af03655457c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f106d687fafe8c176a1709dc306806c9

SHA1
68e5d1463c9d131d1926f539f58e6aeaf14cafff

SHA256
f91460968e14361a4c7a5c7243e97fb898f7c423a5dddb520813ccf51e41f1c7

SHA512
d7af9ec8aa627178e284e8d5eb3be93ffad7aeb572b4ef54b3d29c675a3da8a9873e498cfd083dd5a4c57ccafd1fa15c98bc670be4f283f3ce5be3e7ea841318

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
66ab9797f99c672b9aa0a07de1c49d28

SHA1
c7811d6a60e46c791b94497bcae094653ff31272

SHA256
63f415fa19d5ac8a5e11adf941a74af7eb196945b81139a05b67a5631231cb75

SHA512
efcb18eeb5af64d7079e67e9fb1946d948e92ea7ddfd044ba21102a145bb358897b37e4853439f078be927c529d73be53f5956f334d5484da4e974d40292c6a0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
fb90b04614c2495f01bb64c8c6ab796d

SHA1
1761745f4dfbf781bee8fa65efac6fc818440d70

SHA256
dd91183cd95508aa9f3cb418aa4a313ed4ee64ecfa698e160d37d1de405a5b9f

SHA512
8d49fd7efa7521f400b27504f8d1baaded3b7a69936d9fd6e4972841d67a8fbe2a0a217eecbd6c754ca3274065cb0b99c60caddd044466f1af8d693f36f5d6bf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b6ea6be65212af8320417f7abcf9c260

SHA1
3a89333bb7d82a1a0abe2ae9f2ca1a87d405cffc

SHA256
4d631c40401611eb9e9cddb2ff60a73095342cdb7f7b856f6078c9cce06c217b

SHA512
04a33b38338274e4423de1542b468a699ed57a91da394fcb28c65121d5427e8b82da392d123b9914cc7b6c5d2e51a44e7f4ace5ddec19c5afc6106779cf34c16

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
93087c33ea591130ba7370fb41f79e28

SHA1
f1968a8e0b85066623956e6b56cc21b94479032d

SHA256
fc1285922cb8941c8f972cce262905166b9a55ab82c7e5c5b6b58b13626a8b9b

SHA512
986c90fe36f0aed0f318789c2c418dc94eab93ed9255d90bcc6d9c91bd7efce1cad389b5984c93a81ba2f888c04a1aba781cbd177296255558698a6799df2be8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
991395a08f509e5beb4e7f5e9e83aabc

SHA1
87419a24f38673e982cc2100887920a2c0639de7

SHA256
978c33ee0645c33648c94f99876767c3e1093f203596f8ebe109d5866c625ab6

SHA512
051be7ee3989cf8a8638885f2238b2350a3ecc9c5f185f892f932b40847af74ddaca7df49c5c46062ad492b053d2360f59d522d469e40cb6b88c927e810465e3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
0862bfda39fd0dbcb47a8a27eb7d1d05

SHA1
4cbe4b9897a3ea894585db5da13b9f0733d76a40

SHA256
44f504ce2d954aa3ca3a626c57b874b9f545136405b3def80e6d38caa33f0b24

SHA512
aa12f75f5c4b48e4b697233e9cef87c1fe100d353fda433cd8d5ab571118c999ccbdcc75b75dc4b9b19292f495013a531cd49d23c47239644066c4f75d49aa10

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
46d6faf89a4a88c860373d460960eb63

SHA1
939a2059f820721588bfd189f88d8a5f9d839928

SHA256
f2929fea7fd599d22c8719aa187917ee7cf53b29e6aebbc6ab45b2d675b5971d

SHA512
a5b522bbef5ce7b9802a1ddd20399b95671d3f5a005772e8fd897f1ad4d08765f88e529fa5c8a01b50fd0f650adc53b55c252d56dd0c35972dd3c86e7f67d583

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a03952511e04b6cbbdb015ebca13bd1e

SHA1
3cd26036b752876015a45ef46a018a2ee2856a51

SHA256
7fbec779c76736a9902c5a13ffcd0bce5405514c1663acbd013e9c06fa824c1a

SHA512
fcb025821b83c9e7adb58f75058ffe1e8d23b14d58729b68c7cc55326935c7f2aba73aaa194a37d5ed682586b7e2d5e8bb8822cd952c8507d5dbe77fe926eb7d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
cefd32a62473f03209e121f5bb5e475b

SHA1
26ea1a4c2733224fb4e16566891d9906fb58c516

SHA256
a6992f311dcb2d4c8ef0104542d4476594db7458e4548b0acc1f96406a9f36d5

SHA512
ab2beb45d2bda357e0a8bc3c23eea923c1c1f20356575893e816c63525671e3e9e6894fc3b3e8b2dc13283898e4b05a3ec87be7b9bf7defa564ee53c63932d66

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
dabd7771a8729a8f715c4e544c9b7575

SHA1
c8d41196a309fc16728ae22ece31dd11a8700ed9

SHA256
21df28a603cb000589c6afa7794190647c24ebaabdfe01f19c3eb2fa46f2b120

SHA512
ffc38bcdfa826b90d49a505e81306936ed8916693f51388cafaf8694d682915ca8b697b47e10c85bfa4854ec6a9362713e89e60b4c74d9c1025bed37ed66e28d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c0d3fb82fdc32fb7d550bacf38f6d98f

SHA1
9cc53a58cbf52929d596215cc8550b1d1cbb0f2d

SHA256
cc75555bc0e5aaa140fa35a8f254132da24ca2f30ea723f1acf44aaa2d76fafc

SHA512
20481ad5b5de53b289e5044861c429f363141334f0b4bd09a59979c22c9caa8091edaeb2fd54f76a8e55e215f9a5fce489e5a6719fdaf40c71464d54ec07d562

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat

Filesize
66KB

MD5
3f3ae07dc37b9be55a44cd5b6c3d1dc7

SHA1
ebb84be03e0fa91d6393a663cf109f383a67b336

SHA256
75169f7343abf28925a2f672f797c2160e7472c931f775403a24afeafa2640e1

SHA512
3ca2f4a611cc2fef1aa7fff6787a38cd7b05298c20ef18aae23064cf89c88ed9a62ed817debd5f9963e69f628786959171f92e3f0c640d27667dc4933879448e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat

Filesize
66KB

MD5
63c6fb9b9a39db12fc7cdb560b7f5747

SHA1
7d2e1b44488d0a987b9d64e897fc0edf2ba37833

SHA256
f6d8d532294e4e84acf0de048cf9b5b326c403fceb1502e4e77cce995a452bcb

SHA512
1759554f8ed0e303fbbc69ac927ce010f1a6f0991c6607f7f09b0fa2a5cf32d1979f9994b8dfa83c4827cc52b024710031b1c41811ec90f5d973367b87124d33

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat

Filesize
66KB

MD5
a82d6268f54afae86eda964eec353c7e

SHA1
31721df8994a12b74dd35b2791c16b66e943d5c4

SHA256
94a43d625b2541e6f58e171deee0ea27286ebb82009ea3afd973ee506018ebe3

SHA512
55b1612e7c9d85278c5a701f9f9ecc287cb20cffd8b5be351275fe8a3192658473f128b4958e2591ad80a9eddf57a68a3a99f357d58df62b91c912693b038b97

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat

Filesize
66KB

MD5
c0ab474eb76112b0ddd8a1fe6d0e103c

SHA1
45fdd458042086e7c05b5cb9769c1accb7af61ed

SHA256
9850aa554896a137125407dc08ed3e276813c90fba089e5eafe751bbfc60940a

SHA512
02d5410b6689e6447fa4c39af18451f29ca08a6bdefd16d76097ec9e223a9dadc9e42e51fa5f1f8665b0e1279d6d17d0204b354e657dac14d3997d63c02b28b0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat

Filesize
66KB

MD5
8a5ad9d369f71a0f02aecb2cdf99963f

SHA1
d1784fcc38f94eeb61ea5737da9744c56abe4f39

SHA256
d641fff513e4b89c7016e98a4a9947cfcd887a470f9b051fddc7b8fd4fc7b09b

SHA512
3d2a5ba53669e1cb0ac9f7d4671e89f49cb295e3f2098c6b9b6852ebfa633be62c3da1434dc202280a0630d57251909f493f366fe93da5d0aa9a277e19578a13

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat

Filesize
66KB

MD5
645603135894aa28eb94d5fcc36fcba2

SHA1
e351b7f9c3cd53f9659eabaf060c5623db0ee5f5

SHA256
23c37941d28243339036fb7e026d050de2c299a26a4481752e5a781a16e6c6d5

SHA512
cee7d65d4055de27e61f8efeda1fcebbb5fc5e255c96439a07732ab08c0dc7cc42ae649d166febf26a7872ea0e4f8a1d0056e7b8bff9b871d5d5b79811b5aabc

Download Submit
memory/4316-133-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/4316-136-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download