njrat | cdc771adbd55add756c3fd400ae846c8b8d378c68feac22e0bcc96dc480a6dc4

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4574bd93391feb09a4f2fb7feaa0f29d.exe
Size

33KB
MD5

4574bd93391feb09a4f2fb7feaa0f29d
SHA1

8bf4ce7c275d6efb9470f617189d2945f9039935
SHA256

cdc771adbd55add756c3fd400ae846c8b8d378c68feac22e0bcc96dc480a6dc4
SHA512

f346a22c4b6b9dc3199300b591b40cfc54555b849e90fa38d3001c4a7f4d6ca3b139348b60409903ec3bd7fd9742a3e2ddba510485e4d68d7f5be43a029fadfa
SSDEEP

768:VvTgsrbTI3IOTT95Hrg1XVbXBAQ/nvF8Nul2y:tJbaM7BHnmulZ

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

rxlwee.ddns.net:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2596 netsh.exe

pid	process
2596	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

4574bd93391feb09a4f2fb7feaa0f29d.exe

description	pid	process
Token: SeDebugPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: 33	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe
Token: SeIncBasePriorityPrivilege	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4574bd93391feb09a4f2fb7feaa0f29d.exe

description	pid	process	target process
PID 2496 wrote to memory of 2596	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe	netsh.exe
PID 2496 wrote to memory of 2596	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe	netsh.exe
PID 2496 wrote to memory of 2596	2496	4574bd93391feb09a4f2fb7feaa0f29d.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4574bd93391feb09a4f2fb7feaa0f29d.exe
"C:\Users\Admin\AppData\Local\Temp\4574bd93391feb09a4f2fb7feaa0f29d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4574bd93391feb09a4f2fb7feaa0f29d.exe" "4574bd93391feb09a4f2fb7feaa0f29d.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2496-0-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2496-1-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-2-0x00000000020F0000-0x0000000002170000-memory.dmp

Filesize
512KB

Download
memory/2496-3-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-4-0x00000000020F0000-0x0000000002170000-memory.dmp

Filesize
512KB

Download
memory/2496-5-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download