njrat | 4f7f672a899e6bdbb5b3352fc359cc426fe7053fcfa53036a48572bac7df36ef

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17-10-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33DD87541BC8AC254706571995F70E18.exe
Size

23KB
MD5

33dd87541bc8ac254706571995f70e18
SHA1

bae5b770ca714de85ec789c5b5de2d0cb7e7483d
SHA256

4f7f672a899e6bdbb5b3352fc359cc426fe7053fcfa53036a48572bac7df36ef
SHA512

ca30a65b0ac564d26b9af1a155a5eba03acfc9aded02f452fd84115d62287b2003cef7c47a707f6ed94e0540962df53a4fe36907b63c188db90e0ee061cc8dea
SSDEEP

384:J8aZYC9twBNdcvFaly2H0dVJo6HghcASEJqc/ZmRvR6JZlbw8hqIusZzZ93Q:RY+sNKqNHFSdRpcnud

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2412 netsh.exe

pid	process
2412	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

33DD87541BC8AC254706571995F70E18.exe

description	pid	process
Token: SeDebugPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe
Token: 33	2180	33DD87541BC8AC254706571995F70E18.exe
Token: SeIncBasePriorityPrivilege	2180	33DD87541BC8AC254706571995F70E18.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

33DD87541BC8AC254706571995F70E18.exe

description	pid	process	target process
PID 2180 wrote to memory of 2412	2180	33DD87541BC8AC254706571995F70E18.exe	netsh.exe
PID 2180 wrote to memory of 2412	2180	33DD87541BC8AC254706571995F70E18.exe	netsh.exe
PID 2180 wrote to memory of 2412	2180	33DD87541BC8AC254706571995F70E18.exe	netsh.exe
PID 2180 wrote to memory of 2412	2180	33DD87541BC8AC254706571995F70E18.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\33DD87541BC8AC254706571995F70E18.exe
"C:\Users\Admin\AppData\Local\Temp\33DD87541BC8AC254706571995F70E18.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\33DD87541BC8AC254706571995F70E18.exe" "33DD87541BC8AC254706571995F70E18.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-1-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-2-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2180-3-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-4-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-5-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download