Malware Analysis Report

2025-01-22 14:01

Sample ID 240227-2zv2tsdg51
Target aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804
SHA256 aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804
Tags
njrat hacked evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804

Threat Level: Known bad

The file aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804 was found to be: Known bad.

Malicious Activity Summary

njrat hacked evasion trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 23:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 23:01

Reported

2024-02-27 23:04

Platform

win7-20240221-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe

"C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15020 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:15020 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.197.239.5:15020 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:15020 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:15020 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:15020 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:15020 2.tcp.eu.ngrok.io tcp

Files

memory/1968-0-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/1968-1-0x0000000000480000-0x0000000000500000-memory.dmp

memory/1968-2-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/1968-3-0x0000000000480000-0x0000000000500000-memory.dmp

memory/1968-6-0x0000000001FF0000-0x0000000002000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 f39d9edcb7db7838b0f7948f118b96ac
SHA1 40c19b465bba365ef8ffe3d2fc1e0bff32b1dabb
SHA256 00be3df100019a015209e3ee4d2d8aa68d787ba0492e69a85da681d80635cc72
SHA512 48393ecb3cf8934ecfef7393c498e03ce8c035d27bfbf7a30938a5c37a35f31212c0d8c4feddff0c02cffcba881af934c6232a3dc6e41a19172cc29e40cddf86

memory/1968-12-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

memory/2512-13-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2512-15-0x0000000000210000-0x0000000000250000-memory.dmp

memory/2512-14-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2512-16-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2512-17-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2512-18-0x0000000000210000-0x0000000000250000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 23:01

Reported

2024-02-27 23:04

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe

"C:\Users\Admin\AppData\Local\Temp\aa60573d3d1a56190858edb2df0344b9d1082f0eae840004941a1d6b30a1b804.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

memory/4864-0-0x000000001BA40000-0x000000001BAE6000-memory.dmp

memory/4864-1-0x00007FFB346A0000-0x00007FFB35041000-memory.dmp

memory/4864-2-0x0000000001370000-0x0000000001380000-memory.dmp

memory/4864-3-0x000000001BFC0000-0x000000001C48E000-memory.dmp

memory/4864-4-0x00007FFB346A0000-0x00007FFB35041000-memory.dmp

memory/4864-5-0x000000001C550000-0x000000001C5EC000-memory.dmp

memory/4864-6-0x0000000001310000-0x0000000001318000-memory.dmp

memory/4864-7-0x000000001C6B0000-0x000000001C6FC000-memory.dmp

memory/4864-10-0x00007FFB346A0000-0x00007FFB35041000-memory.dmp