njrat | cceba27592ed89ac5aee405a987a8ab20eeaf221d40f5251148b51e8ed47ec0c

General

Target

23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe
Size

23KB
MD5

185798f33dbbe25c3fc48b808ce8460c
SHA1

80034d0bf3444eb14d2a3a1c45e393580c94213c
SHA256

23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9
SHA512

3351f5122fdb9442c73c175449975ffcc3b286e79331c0e4cdf35d814700745d5dba593842222f093ef5e1a129a5b2eca8c0594d4d1a9036519f9a3ed54ab619
SSDEEP

384:yc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZ+a:lIU0tw3Rpcnue

Score

10^/10

njrat max evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

max

C2

lafiro8872-20597.portmap.host:20597

Mutex

90784841b8a7d5d70cbd91c29f323ae6

Attributes

reg_key
90784841b8a7d5d70cbd91c29f323ae6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2640 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

IExperian.exe

pid process

840 IExperian.exe
Loads dropped DLL 1 IoCs

Processes:

23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe

pid process

1948 23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2640	netsh.exe

pid	process
840	IExperian.exe

pid	process
1948	23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

IExperian.exe

description	pid	process
Token: SeDebugPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe
Token: 33	840	IExperian.exe
Token: SeIncBasePriorityPrivilege	840	IExperian.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exeIExperian.exe

description	pid	process	target process
PID 1948 wrote to memory of 840	1948	23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe	IExperian.exe
PID 1948 wrote to memory of 840	1948	23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe	IExperian.exe
PID 1948 wrote to memory of 840	1948	23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe	IExperian.exe
PID 1948 wrote to memory of 840	1948	23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe	IExperian.exe
PID 840 wrote to memory of 2640	840	IExperian.exe	netsh.exe
PID 840 wrote to memory of 2640	840	IExperian.exe	netsh.exe
PID 840 wrote to memory of 2640	840	IExperian.exe	netsh.exe
PID 840 wrote to memory of 2640	840	IExperian.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe
"C:\Users\Admin\AppData\Local\Temp\23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\IExperian.exe
"C:\Users\Admin\AppData\Local\Temp\IExperian.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\IExperian.exe" "IExperian.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IExperian.exe
Filesize
23KB

MD5
185798f33dbbe25c3fc48b808ce8460c

SHA1
80034d0bf3444eb14d2a3a1c45e393580c94213c

SHA256
23910908180a95387a88c69fc0c39f677591cbb39e236c69270c16cde6b0e1f9

SHA512
3351f5122fdb9442c73c175449975ffcc3b286e79331c0e4cdf35d814700745d5dba593842222f093ef5e1a129a5b2eca8c0594d4d1a9036519f9a3ed54ab619

Download Submit
memory/840-12-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/840-11-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/840-13-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-2-0x0000000001D90000-0x0000000001DD0000-memory.dmp

Filesize
256KB

Download
memory/1948-0-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-10-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing