Analysis Overview
SHA256
4693578ea4ae9212aa51d50c21adac0f6dcd9a7014d974d2e0425328b84e9149
Threat Level: Known bad
The file alekeseke was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-25 05:06
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-25 05:06
Reported
2024-02-25 05:18
Platform
win7-20240221-en
Max time kernel
465s
Max time network
462s
Command Line
Signatures
njRAT/Bladabindi
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\Desktop\NOT A VIRUS.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url | C:\Users\Admin\Desktop\NOT A VIRUS.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe | C:\Users\Admin\Desktop\NOT A VIRUS.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Desktop\\NOT A VIRUS.exe\" .." | C:\Users\Admin\Desktop\NOT A VIRUS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Desktop\\NOT A VIRUS.exe\" .." | C:\Users\Admin\Desktop\NOT A VIRUS.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1708 wrote to memory of 2092 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 1708 wrote to memory of 2092 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 1708 wrote to memory of 2092 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 1708 wrote to memory of 2092 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 1708 wrote to memory of 2124 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 1708 wrote to memory of 2124 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 1708 wrote to memory of 2124 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
| PID 1708 wrote to memory of 2124 | N/A | C:\Users\Admin\Desktop\NOT A VIRUS.exe | C:\Windows\SysWOW64\TASKKILL.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\alekeseke.zip
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14468:76:7zEvent32747
C:\Users\Admin\Desktop\NOT A VIRUS.exe
"C:\Users\Admin\Desktop\NOT A VIRUS.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.209.94:12607 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12607 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:12607 | 0.tcp.eu.ngrok.io | tcp |
Files
C:\Users\Admin\Desktop\NOT A VIRUS.exe
| MD5 | e431cae2c2e7c1d50e2264102d898310 |
| SHA1 | 7eae6955815fda22dd9ed02302d5f0ca4596854f |
| SHA256 | ff86000c39c061650d004894837d8f618d0724ce3b2a2ef24072c784b2ceb67f |
| SHA512 | 74be155fefe642006b7df93aeef53ba34cb950d6172d40782de768ef7437061491b63e7950ef1038d8dbec70e60fa900ce212fd804fb9cb555f337176d99cb1c |
memory/1708-4-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1708-5-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1708-6-0x0000000000750000-0x0000000000790000-memory.dmp
memory/420-18-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/420-19-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1708-23-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1708-24-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1708-25-0x0000000000750000-0x0000000000790000-memory.dmp
memory/1708-26-0x0000000000750000-0x0000000000790000-memory.dmp
memory/1708-27-0x0000000000750000-0x0000000000790000-memory.dmp
memory/1708-28-0x0000000000750000-0x0000000000790000-memory.dmp
memory/1708-29-0x0000000000750000-0x0000000000790000-memory.dmp