Analysis Overview
SHA256
75c8d9e832b0c09c9d183788b062d227fe75fbe1ee62be105762985712ae7d86
Threat Level: Known bad
The file b71db5f9a027a69e4f0873348ebe35c1 was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops startup file
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-06 09:44
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-06 09:44
Reported
2024-03-06 09:47
Platform
win7-20240221-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\158a963e4971d14f9885ad09f8929995Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\158a963e4971d14f9885ad09f8929995Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b71db5f9a027a69e4f0873348ebe35c1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b71db5f9a027a69e4f0873348ebe35c1.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b71db5f9a027a69e4f0873348ebe35c1.exe
"C:\Users\Admin\AppData\Local\Temp\b71db5f9a027a69e4f0873348ebe35c1.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/2264-0-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2264-1-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2264-2-0x0000000000650000-0x0000000000690000-memory.dmp
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b71db5f9a027a69e4f0873348ebe35c1 |
| SHA1 | 05de12c1dea4aa51846b42eeedd77cb7ac76d548 |
| SHA256 | 75c8d9e832b0c09c9d183788b062d227fe75fbe1ee62be105762985712ae7d86 |
| SHA512 | a3ba781734fbb3ffe47ecc728255953a9bef129d96152fb5696b3e9f727d780a661aa904bd536542f0e15f3639a7d4d78070746fd45062ec198d0f1fc35ce5d1 |
memory/2836-15-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2836-16-0x0000000000240000-0x0000000000280000-memory.dmp
memory/2264-14-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2836-17-0x0000000074020000-0x00000000745CB000-memory.dmp
C:\Users\Admin\AppData\Roaming\app
| MD5 | 3eb8a6afa534fadc147aa70dea76e863 |
| SHA1 | 03b827d99098f69c9f126679598f7166c99d1624 |
| SHA256 | d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca |
| SHA512 | b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327 |
memory/2836-29-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2836-30-0x0000000000240000-0x0000000000280000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-06 09:44
Reported
2024-03-06 09:47
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b71db5f9a027a69e4f0873348ebe35c1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\158a963e4971d14f9885ad09f8929995Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\158a963e4971d14f9885ad09f8929995Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b71db5f9a027a69e4f0873348ebe35c1.exe
"C:\Users\Admin\AppData\Local\Temp\b71db5f9a027a69e4f0873348ebe35c1.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 43.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp |
Files
memory/4524-0-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/4524-1-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/4524-2-0x0000000000C00000-0x0000000000C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | b71db5f9a027a69e4f0873348ebe35c1 |
| SHA1 | 05de12c1dea4aa51846b42eeedd77cb7ac76d548 |
| SHA256 | 75c8d9e832b0c09c9d183788b062d227fe75fbe1ee62be105762985712ae7d86 |
| SHA512 | a3ba781734fbb3ffe47ecc728255953a9bef129d96152fb5696b3e9f727d780a661aa904bd536542f0e15f3639a7d4d78070746fd45062ec198d0f1fc35ce5d1 |
memory/2312-14-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/4524-13-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/2312-15-0x0000000000F90000-0x0000000000FA0000-memory.dmp
memory/2312-16-0x00000000750B0000-0x0000000075661000-memory.dmp
C:\Users\Admin\AppData\Roaming\app
| MD5 | 3eb8a6afa534fadc147aa70dea76e863 |
| SHA1 | 03b827d99098f69c9f126679598f7166c99d1624 |
| SHA256 | d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca |
| SHA512 | b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327 |
memory/2312-29-0x0000000000F90000-0x0000000000FA0000-memory.dmp
memory/2312-28-0x00000000750B0000-0x0000000075661000-memory.dmp