Analysis Overview
SHA256
c649ee9f5c3b66c9fddea1e4b9f9384919d424e906d0d3959734fa58542130b3
Threat Level: Known bad
The file aa0204ead1b751a640af20aa144e0fe6 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 19:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 19:45
Reported
2024-02-27 19:48
Platform
win7-20240221-en
Max time kernel
151s
Max time network
124s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2272 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2272 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2272 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2272 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe
"C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe" "aa0204ead1b751a640af20aa144e0fe6.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp |
Files
memory/2272-0-0x0000000000B30000-0x0000000000B7A000-memory.dmp
memory/2272-1-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2272-2-0x0000000004F20000-0x0000000004F60000-memory.dmp
memory/2272-3-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2272-4-0x0000000073CB0000-0x000000007439E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 19:45
Reported
2024-02-27 19:48
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
159s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 460 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 460 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 460 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe
"C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\aa0204ead1b751a640af20aa144e0fe6.exe" "aa0204ead1b751a640af20aa144e0fe6.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1177 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:1177 | tcp | |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp | |
| N/A | 127.0.0.1:1177 | tcp |
Files
memory/460-0-0x0000000074960000-0x0000000075110000-memory.dmp
memory/460-1-0x0000000000500000-0x000000000054A000-memory.dmp
memory/460-2-0x0000000004DA0000-0x0000000004E3C000-memory.dmp
memory/460-3-0x0000000005030000-0x0000000005040000-memory.dmp
memory/460-4-0x0000000002720000-0x0000000002730000-memory.dmp
memory/460-5-0x00000000055F0000-0x0000000005B94000-memory.dmp
memory/460-6-0x00000000051E0000-0x0000000005272000-memory.dmp
memory/460-7-0x0000000005020000-0x000000000502A000-memory.dmp
memory/460-8-0x0000000074960000-0x0000000075110000-memory.dmp
memory/460-9-0x0000000005030000-0x0000000005040000-memory.dmp