Analysis Overview
SHA256
b879ee29bdb0b353e8d2e1697296af70e256fcec9e560a973b8d6360be60460c
Threat Level: Known bad
The file celestial crack.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Drops startup file
Loads dropped DLL
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops autorun.inf file
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-20 18:17
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-20 18:17
Reported
2024-01-20 18:18
Platform
win7-20231129-en
Max time kernel
27s
Max time network
26s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d1cc93bd33e3564c2d5d5688d8b6c4a2.exe | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d1cc93bd33e3564c2d5d5688d8b6c4a2.exe | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\celestial crack.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\d1cc93bd33e3564c2d5d5688d8b6c4a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77$.exe\" .." | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d1cc93bd33e3564c2d5d5688d8b6c4a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77$.exe\" .." | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| File created | D:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\77$.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\celestial crack.exe
"C:\Users\Admin\AppData\Local\Temp\celestial crack.exe"
C:\Users\Admin\AppData\Local\Temp\77$.exe
"C:\Users\Admin\AppData\Local\Temp\77$.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\77$.exe" "77$.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.127.181.115:17912 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:17912 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:17912 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:17912 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.127.181.115:17912 | tcp |
Files
memory/2032-0-0x0000000074970000-0x0000000074F1B000-memory.dmp
memory/2032-1-0x0000000074970000-0x0000000074F1B000-memory.dmp
memory/2032-2-0x00000000003B0000-0x00000000003F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\77$.exe
| MD5 | 3569db129cff7f9fa82809163432c4ca |
| SHA1 | 731902dc450523664d92dba7822f9e14d7e25293 |
| SHA256 | b879ee29bdb0b353e8d2e1697296af70e256fcec9e560a973b8d6360be60460c |
| SHA512 | f880d5c5ffd6a8fb90fad9f0100220bce4f285ff3963c73511bf9d87effecdc96562309390aa7c1a0fb912f620c2484e25b2e0e736e1d666a13cd8f184b1dea3 |
memory/2032-11-0x0000000074970000-0x0000000074F1B000-memory.dmp
memory/2144-12-0x0000000001F60000-0x0000000001FA0000-memory.dmp
memory/2144-10-0x0000000074970000-0x0000000074F1B000-memory.dmp
memory/2144-13-0x0000000074970000-0x0000000074F1B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-20 18:17
Reported
2024-01-20 18:18
Platform
win10v2004-20231215-en
Max time kernel
23s
Max time network
30s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\celestial crack.exe
"C:\Users\Admin\AppData\Local\Temp\celestial crack.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4468-0-0x0000000074AE0000-0x0000000075091000-memory.dmp
memory/4468-1-0x0000000001710000-0x0000000001720000-memory.dmp
memory/4468-2-0x0000000074AE0000-0x0000000075091000-memory.dmp