njrat | 9f773249a099a9122a9cbad4cdbd6d4a413d8047a444b8a65de33c458b996087

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 03:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e32f478568d5aeba53b76bb54a18bb0.exe
Size

124KB
MD5

1e32f478568d5aeba53b76bb54a18bb0
SHA1

3a56b495df1ea37586d79c6465456145b89c403a
SHA256

9f773249a099a9122a9cbad4cdbd6d4a413d8047a444b8a65de33c458b996087
SHA512

c50e6e216c14f63ae7afdac841d116d251b021fbfc7d9677b43adea625369828c6f7802d87def27972a3c0eb5e8b715781302d3dd4dd9c2efbf1665d64c63301
SSDEEP

3072:eV3eDzgZqwy8m/8XBhvNS1ChkA+38MBXNt2/NOVvIY344xcuy9K18:eVqzdwyCHllhj+3vBS/W44xcuyc1

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

0.tcp.in.ngrok.io:19400

Mutex

900e32528e286bf3fa16f687e637183a

Attributes

reg_key
900e32528e286bf3fa16f687e637183a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4448	netsh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4040 set thread context of 1048	4040	RegAsm.exe	92
PID 1048 set thread context of 1768	1048	RegAsm.exe	95
PID 1768 set thread context of 3788	1768	RegAsm.exe	96
PID 3788 set thread context of 3260	3788	RegAsm.exe	97

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1048	RegAsm.exe
1048	RegAsm.exe
1048	RegAsm.exe
1048	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	RegAsm.exe
Token: SeDebugPrivilege	3260	RegAsm.exe
Token: 33	3260	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3260	RegAsm.exe
Token: 33	3260	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3260	RegAsm.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4316 wrote to memory of 4040	4316	1e32f478568d5aeba53b76bb54a18bb0.exe	87
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 4040 wrote to memory of 1048	4040	RegAsm.exe	92
PID 1048 wrote to memory of 1548	1048	RegAsm.exe	93
PID 1048 wrote to memory of 1548	1048	RegAsm.exe	93
PID 1048 wrote to memory of 1548	1048	RegAsm.exe	93
PID 1048 wrote to memory of 4284	1048	RegAsm.exe	94
PID 1048 wrote to memory of 4284	1048	RegAsm.exe	94
PID 1048 wrote to memory of 4284	1048	RegAsm.exe	94
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1048 wrote to memory of 1768	1048	RegAsm.exe	95
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 1768 wrote to memory of 3788	1768	RegAsm.exe	96
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3788 wrote to memory of 3260	3788	RegAsm.exe	97
PID 3260 wrote to memory of 4448	3260	RegAsm.exe	98
PID 3260 wrote to memory of 4448	3260	RegAsm.exe	98
PID 3260 wrote to memory of 4448	3260	RegAsm.exe	98

C:\Users\Admin\AppData\Local\Temp\1e32f478568d5aeba53b76bb54a18bb0.exe
"C:\Users\Admin\AppData\Local\Temp\1e32f478568d5aeba53b76bb54a18bb0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4284
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
memory/1048-23-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/1048-24-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1048-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1048-25-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/1048-26-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/1048-27-0x00000000055A0000-0x00000000055BA000-memory.dmp

Filesize
104KB

Download
memory/1048-30-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/1768-32-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/1768-33-0x0000000005120000-0x0000000005136000-memory.dmp

Filesize
88KB

Download
memory/1768-35-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/1768-31-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/1768-29-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/1768-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3260-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3260-42-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

Filesize
624KB

Download
memory/3260-43-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/3260-45-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3260-46-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/3260-47-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/3260-48-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3788-36-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/3788-40-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/3788-38-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/3788-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3788-37-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3788-39-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3788-44-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4040-16-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4040-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4040-14-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4040-15-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/4040-17-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/4040-18-0x0000000004EF0000-0x0000000004F10000-memory.dmp

Filesize
128KB

Download
memory/4040-22-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4316-8-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/4316-0-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4316-9-0x0000000005620000-0x0000000005644000-memory.dmp

Filesize
144KB

Download
memory/4316-10-0x0000000005670000-0x000000000568E000-memory.dmp

Filesize
120KB

Download
memory/4316-7-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4316-6-0x00000000055A0000-0x0000000005616000-memory.dmp

Filesize
472KB

Download
memory/4316-13-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4316-5-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/4316-4-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/4316-3-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/4316-2-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4316-1-0x0000000000940000-0x0000000000966000-memory.dmp

Filesize
152KB

Download