njrat | b6634d60c4f33e8ff40efbbbddd098cc420fe12822c633752260e3b0e6d11307

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2023 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03CFE21475FF1E4B334AD89DED81AE54.exe
Size

23KB
MD5

03cfe21475ff1e4b334ad89ded81ae54
SHA1

885cd1d6782f12eba1a8b02ba5e380b43d724ac8
SHA256

b6634d60c4f33e8ff40efbbbddd098cc420fe12822c633752260e3b0e6d11307
SHA512

28361958762f5951c405f664e6891eca9fe735b791702db93599fbf34b50885d95dd8938784423ec4ccb50648a4f8350106b51d8082d43e65fa5371bf3bd9f56
SSDEEP

384:IcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZLp:330py6vhxaRpcnuG

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3972 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3972	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

03CFE21475FF1E4B334AD89DED81AE54.exe

description	pid	process
Token: SeDebugPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: 33	4792	03CFE21475FF1E4B334AD89DED81AE54.exe
Token: SeIncBasePriorityPrivilege	4792	03CFE21475FF1E4B334AD89DED81AE54.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

03CFE21475FF1E4B334AD89DED81AE54.exe

description	pid	process	target process
PID 4792 wrote to memory of 3972	4792	03CFE21475FF1E4B334AD89DED81AE54.exe	netsh.exe
PID 4792 wrote to memory of 3972	4792	03CFE21475FF1E4B334AD89DED81AE54.exe	netsh.exe
PID 4792 wrote to memory of 3972	4792	03CFE21475FF1E4B334AD89DED81AE54.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe
"C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\03CFE21475FF1E4B334AD89DED81AE54.exe" "03CFE21475FF1E4B334AD89DED81AE54.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4792-0-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4792-1-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/4792-2-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4792-3-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4792-4-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download