njrat | 3c8ae458a96eb7500d2c065c8232645ba3961e981bfaa1e4cbaf6f5d5558ee64

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d1e55d56501a4c020359838798b5e9c.exe
Size

208KB
MD5

1d1e55d56501a4c020359838798b5e9c
SHA1

049e20770fd71194141c2c0debdfafd317c56ca4
SHA256

3c8ae458a96eb7500d2c065c8232645ba3961e981bfaa1e4cbaf6f5d5558ee64
SHA512

054798f7f84677e07ecd1f19f4b387afbc24ad01bb3079b61eed182148a06e87595799816ee1931c15181097cbc769bbaa7d43c6dc04c669800272240d924d6e
SSDEEP

384:3DVUq67iFRNItImlQN2l0hj4draNwzDHIOu3nrd7DjdYt8Gn5u5nh7uTht1XKvj4:3pUZ7iFfuITgHwNet8Q5Z6vmp+v2o

Score

10^/10

njrat lammer evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

0.tcp.sa.ngrok.io:17720

Mutex

fbb489ebddedd970b62a6974bcec1446

Attributes

reg_key
fbb489ebddedd970b62a6974bcec1446
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4700	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
3428	0.vbs

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs
Token: 33	3428	0.vbs
Token: SeIncBasePriorityPrivilege	3428	0.vbs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1616	1d1e55d56501a4c020359838798b5e9c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3428	1616	1d1e55d56501a4c020359838798b5e9c.exe	86
PID 1616 wrote to memory of 3428	1616	1d1e55d56501a4c020359838798b5e9c.exe	86
PID 1616 wrote to memory of 3428	1616	1d1e55d56501a4c020359838798b5e9c.exe	86
PID 3428 wrote to memory of 4700	3428	0.vbs	92
PID 3428 wrote to memory of 4700	3428	0.vbs	92
PID 3428 wrote to memory of 4700	3428	0.vbs	92

C:\Users\Admin\AppData\Local\Temp\1d1e55d56501a4c020359838798b5e9c.exe
"C:\Users\Admin\AppData\Local\Temp\1d1e55d56501a4c020359838798b5e9c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\0.vbs
  C:\Users\Admin\AppData\Local\Temp\0.vbs
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\0.vbs" "0.vbs" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
23KB

MD5
ffb457dd29073b78721c24ab9195459f

SHA1
b836c1589c65653d28c44b709ecac7ef2376a9d1

SHA256
f7dfdaa0af2137fc3f8694273f8de442edc37926edfd7cecd296c5a98657a939

SHA512
3dd96249f668dead9970e8c2d484596217c1de085d9695238bcc5e2ee2e651206032e5ef1edcafd5d75e3c4b6be268046e21bf95e6fecd2c50fd9e7fefec5457

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
23KB

MD5
ffb457dd29073b78721c24ab9195459f

SHA1
b836c1589c65653d28c44b709ecac7ef2376a9d1

SHA256
f7dfdaa0af2137fc3f8694273f8de442edc37926edfd7cecd296c5a98657a939

SHA512
3dd96249f668dead9970e8c2d484596217c1de085d9695238bcc5e2ee2e651206032e5ef1edcafd5d75e3c4b6be268046e21bf95e6fecd2c50fd9e7fefec5457

Download Submit
memory/3428-139-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3428-140-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3428-141-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/3428-142-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3428-143-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3428-144-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download