njrat | e162f5bb33843a8872968483555c053718bb9654c0641ccd393f4ddd08391e17

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2023 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243e61e9274fdd1d62c9c2cefc5d0c57.exe
Size

23KB
MD5

243e61e9274fdd1d62c9c2cefc5d0c57
SHA1

8a915a682debbf969ed7917b5d26dd31e21786e8
SHA256

e162f5bb33843a8872968483555c053718bb9654c0641ccd393f4ddd08391e17
SHA512

813d2568d465822d90352651e91e91d1dcdfd2e5c47e4b851d9500ac819602f80602c8b4bfc149b741b684b833c908cf41dd91827e13f2cbb852c0b175c4605e
SSDEEP

384:MsqS+ER6vRKXGYKRWVSujUtX9w6Vglo61Z5DVmRvR6JZlbw8hqIusZzZU8:Tf65K2Yf1jMRpcnuO

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4616 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
4616	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

243e61e9274fdd1d62c9c2cefc5d0c57.exe

description	pid	process
Token: SeDebugPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: 33	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe
Token: SeIncBasePriorityPrivilege	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

243e61e9274fdd1d62c9c2cefc5d0c57.exe

description	pid	process	target process
PID 1880 wrote to memory of 4616	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe	netsh.exe
PID 1880 wrote to memory of 4616	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe	netsh.exe
PID 1880 wrote to memory of 4616	1880	243e61e9274fdd1d62c9c2cefc5d0c57.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\243e61e9274fdd1d62c9c2cefc5d0c57.exe
"C:\Users\Admin\AppData\Local\Temp\243e61e9274fdd1d62c9c2cefc5d0c57.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\243e61e9274fdd1d62c9c2cefc5d0c57.exe" "243e61e9274fdd1d62c9c2cefc5d0c57.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-133-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1880-134-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1880-135-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/1880-136-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1880-137-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1880-138-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download