njrat | f44f9ca899f0ac7efc49d491703f249b86f4863914baddd8cedeb3646d0086ae

General

Target

7B1809B4AA561D6A694744164831856A.exe
Size

23KB
MD5

7b1809b4aa561d6a694744164831856a
SHA1

efa9b84a0e9f0c8ae1dd1fb0c7b28366ca3c04bf
SHA256

f44f9ca899f0ac7efc49d491703f249b86f4863914baddd8cedeb3646d0086ae
SHA512

ad3dbf695d19b9224f23af11793a2520a7717b8b545b4561046bd033161e13a11286374b0f17234aacf9247864c106db5323e2327f10b885a98ec62b44f55afe
SSDEEP

384:HY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3tVmRvR6JZlbw8hqIusZzZaA:QL2s+tRdRpcnuk

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2276 netsh.exe

pid	process
2276	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7B1809B4AA561D6A694744164831856A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7B1809B4AA561D6A694744164831856A.exe\" .."	7B1809B4AA561D6A694744164831856A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3378fb27680d4a9a06e6f191501123e0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7B1809B4AA561D6A694744164831856A.exe\" .."	7B1809B4AA561D6A694744164831856A.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

7B1809B4AA561D6A694744164831856A.exe

description	pid	process
Token: SeDebugPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe
Token: 33	2340	7B1809B4AA561D6A694744164831856A.exe
Token: SeIncBasePriorityPrivilege	2340	7B1809B4AA561D6A694744164831856A.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7B1809B4AA561D6A694744164831856A.exe

description	pid	process	target process
PID 2340 wrote to memory of 2276	2340	7B1809B4AA561D6A694744164831856A.exe	netsh.exe
PID 2340 wrote to memory of 2276	2340	7B1809B4AA561D6A694744164831856A.exe	netsh.exe
PID 2340 wrote to memory of 2276	2340	7B1809B4AA561D6A694744164831856A.exe	netsh.exe
PID 2340 wrote to memory of 2276	2340	7B1809B4AA561D6A694744164831856A.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7B1809B4AA561D6A694744164831856A.exe
"C:\Users\Admin\AppData\Local\Temp\7B1809B4AA561D6A694744164831856A.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7B1809B4AA561D6A694744164831856A.exe" "7B1809B4AA561D6A694744164831856A.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-0-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-2-0x0000000000710000-0x0000000000750000-memory.dmp

Filesize
256KB

Download
memory/2340-1-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-3-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-4-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-5-0x0000000000710000-0x0000000000750000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads