Malware Analysis Report

2025-03-15 06:25

Sample ID 240128-2pel4adddp
Target 7e339008a64dc8651d9dcd6d87aa0273
SHA256 7cf47a69cd57c64cf081828248127f1a600833e1b68434065fd81ecab882c0a6
Tags
hacked njrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cf47a69cd57c64cf081828248127f1a600833e1b68434065fd81ecab882c0a6

Threat Level: Known bad

The file 7e339008a64dc8651d9dcd6d87aa0273 was found to be: Known bad.

Malicious Activity Summary

hacked njrat persistence trojan

Njrat family

njRAT/Bladabindi

Drops startup file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 22:45

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 22:45

Reported

2024-01-28 22:47

Platform

win7-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe

"C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
DE 79.224.89.201:5552 tcp
DE 79.224.89.201:5552 tcp
DE 79.224.89.201:5552 tcp
DE 79.224.89.201:5552 tcp
DE 79.224.89.201:5552 tcp
DE 79.224.89.201:5552 tcp

Files

memory/2420-2-0x0000000000450000-0x0000000000490000-memory.dmp

memory/2420-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/2420-0-0x0000000074D20000-0x00000000752CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 7e339008a64dc8651d9dcd6d87aa0273
SHA1 7396c618a2de48c88d1873792a4e4216050a76e4
SHA256 7cf47a69cd57c64cf081828248127f1a600833e1b68434065fd81ecab882c0a6
SHA512 fe1bc91cc353d43a385c1cfdf8466d1a88200ca1a3a90a62632bcbc7e05be70e6fe0fa9cbc3b52d94072781d3f67526b20113979f0f65f15758ddea92d8e4abb

memory/2420-12-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/2744-14-0x00000000002A0000-0x00000000002E0000-memory.dmp

memory/2744-13-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/2744-15-0x0000000074D20000-0x00000000752CB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 97674ac930f2e31785c25a7f03fbdb29
SHA1 8ff4d7843f31919699bc82f5a783a6ea5ff0aa22
SHA256 efddcb1a9aaace1bebe163ddaf2c69e666a795bcee3a2970d3f90ac694229ec4
SHA512 8ee7ecc8509e8d462f6b1e02ae7d8b7275256e264ad521333933e972da012082764259b5b6de0be5507f064f3d5d767667c0856a03173289cdf01a6238006015

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 a04022da2a7e3d9e16a8f1ba01397289
SHA1 b4874e0929b74a86cd7f4105dde6631af08a191a
SHA256 919c4140a4d75958779d865406adfd964dabd16f1d0012ff32aecad4bcb1c66e
SHA512 cc3dc36485b4a7f9b41d6004df4db8ec80a2cf3c360d12ba03d99aff13825b0267154b0a59ca73b5695b53c8422023c53059165094fd54de156529fcd13dcdaa

memory/2744-21-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/2744-22-0x00000000002A0000-0x00000000002E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 22:45

Reported

2024-01-28 22:47

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe

"C:\Users\Admin\AppData\Local\Temp\7e339008a64dc8651d9dcd6d87aa0273.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 79.224.89.201:5552 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
DE 79.224.89.201:5552 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
DE 79.224.89.201:5552 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
DE 79.224.89.201:5552 tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
DE 79.224.89.201:5552 tcp
DE 79.224.89.201:5552 tcp

Files

memory/1544-0-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1544-1-0x0000000001A30000-0x0000000001A40000-memory.dmp

memory/1544-2-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 7e339008a64dc8651d9dcd6d87aa0273
SHA1 7396c618a2de48c88d1873792a4e4216050a76e4
SHA256 7cf47a69cd57c64cf081828248127f1a600833e1b68434065fd81ecab882c0a6
SHA512 fe1bc91cc353d43a385c1cfdf8466d1a88200ca1a3a90a62632bcbc7e05be70e6fe0fa9cbc3b52d94072781d3f67526b20113979f0f65f15758ddea92d8e4abb

memory/4560-16-0x0000000000B30000-0x0000000000B40000-memory.dmp

memory/4560-15-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1544-14-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 22cb0526d259a32938e991b4d90f8c40
SHA1 743a47e1b9f4941c4c7450bf650e2c2c62b10fd9
SHA256 454087eae3ab0ef4cbe2389aa85dfee562a0cb92e7fd3ed4f35a5c8089b9e295
SHA512 c7dd4c17565bce130750b1a44a88edaeba193a95edac1f3dc25f9e5e24643a15867b91cce549f08d41ecb6d969a6fa843b593d1f88b481b79beb64eb155be511

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 ea09e68527bab5fd3c199172a8e34245
SHA1 28fdeb23907f350133827d84b2af791e6eb1776c
SHA256 070dd70f232d0f6af8db13d0653be8102617dd0233d8fb4d3b5bc15d78e8f751
SHA512 ab13c8807319a660bbe8efa91b413a5f7ec8b36cc7e1d18a374622f09671a2f612acc0bafa51b6df7bbd067451adaafdef0d489d2f67162606a720b04ec063cd

memory/4560-18-0x0000000075180000-0x0000000075731000-memory.dmp

memory/4560-23-0x0000000075180000-0x0000000075731000-memory.dmp