njrat | 7b64dc11fee888e4ce1a7e23292b7771b6d334589e2d3c133308d3e1b9223b30

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9bab88f37b74a18b232fd06e16a59be.exe
Size

72KB
MD5

b9bab88f37b74a18b232fd06e16a59be
SHA1

3c8510c55af0e68e466827395edfd2a866365976
SHA256

7b64dc11fee888e4ce1a7e23292b7771b6d334589e2d3c133308d3e1b9223b30
SHA512

8bde608701f79d1de29dc9cb7c35574166eae535b07b4b1d4cd21acc94fa8f1db1df95017e006cd581cd2d66216c2e55c4a50b0e87b24e33b63578c499724385
SSDEEP

1536:s/i0wcTZAVpAP8OhljOhcWPN5GzHac5IX8KgZp6m:s/ilclYpAPhhljOhcWPN5GzHac5TDZQm

Score

10^/10

njrat 비응신 trojan

Malware Config

Extracted

Family

njrat

Botnet

비응신

Mutex

b9afd8f299a5bc13aeb1afc43c0ef568

Attributes

reg_key
b9afd8f299a5bc13aeb1afc43c0ef568

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
4416	System32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	b9bab88f37b74a18b232fd06e16a59be.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 3952 wrote to memory of 1548	3952	b9bab88f37b74a18b232fd06e16a59be.exe	90
PID 1548 wrote to memory of 4416	1548	InstallUtil.exe	97
PID 1548 wrote to memory of 4416	1548	InstallUtil.exe	97
PID 1548 wrote to memory of 4416	1548	InstallUtil.exe	97

C:\Users\Admin\AppData\Local\Temp\b9bab88f37b74a18b232fd06e16a59be.exe
"C:\Users\Admin\AppData\Local\Temp\b9bab88f37b74a18b232fd06e16a59be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\System32.exe
    "C:\Users\Admin\AppData\Local\Temp\System32.exe"
    3⤵
    - Executes dropped EXE
    PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System32.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
memory/1548-7-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/1548-21-0x0000000072620000-0x0000000072DD0000-memory.dmp

Filesize
7.7MB

Download
memory/1548-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1548-5-0x0000000004E70000-0x0000000004F0C000-memory.dmp

Filesize
624KB

Download
memory/1548-6-0x0000000072620000-0x0000000072DD0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3952-9-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3952-2-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/3952-0-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4416-24-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/4416-25-0x0000000000F00000-0x0000000000F1A000-memory.dmp

Filesize
104KB

Download
memory/4416-23-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/4416-26-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4416-28-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download