njrat | 7b64dc11fee888e4ce1a7e23292b7771b6d334589e2d3c133308d3e1b9223b30

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9bab88f37b74a18b232fd06e16a59be.exe
Size

72KB
MD5

b9bab88f37b74a18b232fd06e16a59be
SHA1

3c8510c55af0e68e466827395edfd2a866365976
SHA256

7b64dc11fee888e4ce1a7e23292b7771b6d334589e2d3c133308d3e1b9223b30
SHA512

8bde608701f79d1de29dc9cb7c35574166eae535b07b4b1d4cd21acc94fa8f1db1df95017e006cd581cd2d66216c2e55c4a50b0e87b24e33b63578c499724385
SSDEEP

1536:s/i0wcTZAVpAP8OhljOhcWPN5GzHac5IX8KgZp6m:s/ilclYpAPhhljOhcWPN5GzHac5TDZQm

Score

10^/10

njrat 비응신 trojan

Malware Config

Extracted

Family

njrat

Botnet

비응신

Mutex

b9afd8f299a5bc13aeb1afc43c0ef568

Attributes

reg_key
b9afd8f299a5bc13aeb1afc43c0ef568

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2420	System32.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	b9bab88f37b74a18b232fd06e16a59be.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2268 wrote to memory of 2072	2268	b9bab88f37b74a18b232fd06e16a59be.exe	28
PID 2072 wrote to memory of 2420	2072	InstallUtil.exe	29
PID 2072 wrote to memory of 2420	2072	InstallUtil.exe	29
PID 2072 wrote to memory of 2420	2072	InstallUtil.exe	29
PID 2072 wrote to memory of 2420	2072	InstallUtil.exe	29
PID 2072 wrote to memory of 2420	2072	InstallUtil.exe	29
PID 2072 wrote to memory of 2420	2072	InstallUtil.exe	29
PID 2072 wrote to memory of 2420	2072	InstallUtil.exe	29

C:\Users\Admin\AppData\Local\Temp\b9bab88f37b74a18b232fd06e16a59be.exe
"C:\Users\Admin\AppData\Local\Temp\b9bab88f37b74a18b232fd06e16a59be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\System32.exe
    "C:\Users\Admin\AppData\Local\Temp\System32.exe"
    3⤵
    - Executes dropped EXE
    PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\System32.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/2072-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-19-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2072-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2072-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2072-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2072-14-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2072-27-0x00000000717E0000-0x0000000071ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2072-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2268-2-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download
memory/2268-20-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-1-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-0-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-29-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/2420-30-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-31-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/2420-32-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download