njrat | 1eebfaa3d4a78af444093bf5e6287445a992b02a522ca12d5d9672ec88204048

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Size

158KB
MD5

3eb8c476c0abcd01fdb799de83503e12
SHA1

138aa012bb3b20a79aaf016af172a1b3106a7304
SHA256

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986
SHA512

ed277e52d5348d1401a51f002e9f03bfada6481b2cab827f13fa39d54f5c42d4e4ac6627ced47f98fbc22010b044fb0d09b55c6133fc2746e9e78234975c2f85
SSDEEP

3072:tf/J2ULiTehI8FrkZTFieSzoSUYSziUP0ZMJG:32UL2i9FKFHd4SziUP0

Score

10^/10

njrat mybot evasion trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

asero23.ddns.net:5552

Mutex

863290bfb622fdfe0ad4e1b97536ae62

Attributes

reg_key
863290bfb622fdfe0ad4e1b97536ae62
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2716	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Loads dropped DLL 1 IoCs

pid	Process
2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/files/0x0008000000015cce-2.dat	upx
behavioral1/memory/2548-37-0x0000000002400000-0x0000000002440000-memory.dmp	upx
behavioral1/memory/2216-35-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2232	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	28
PID 2216 wrote to memory of 2232	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	28
PID 2216 wrote to memory of 2232	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	28
PID 2216 wrote to memory of 2232	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	28
PID 2216 wrote to memory of 3016	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	30
PID 2216 wrote to memory of 3016	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	30
PID 2216 wrote to memory of 3016	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	30
PID 2216 wrote to memory of 3016	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	30
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 2216 wrote to memory of 2548	2216	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	31
PID 3016 wrote to memory of 2588	3016	cmd.exe	33
PID 3016 wrote to memory of 2588	3016	cmd.exe	33
PID 3016 wrote to memory of 2588	3016	cmd.exe	33
PID 3016 wrote to memory of 2588	3016	cmd.exe	33
PID 2588 wrote to memory of 3024	2588	net.exe	34
PID 2588 wrote to memory of 3024	2588	net.exe	34
PID 2588 wrote to memory of 3024	2588	net.exe	34
PID 2588 wrote to memory of 3024	2588	net.exe	34
PID 2548 wrote to memory of 2716	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	35
PID 2548 wrote to memory of 2716	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	35
PID 2548 wrote to memory of 2716	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	35
PID 2548 wrote to memory of 2716	2548	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	35

C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
"C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:3024
- C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
  C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe" "554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Filesize
104KB

MD5
42ccd69a3be9618d329de0ea0fde3a81

SHA1
47e9897f303496eb9cd5883f9cdb283b6eee65d3

SHA256
14137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef

SHA512
33d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae

Download Submit
\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Filesize
158KB

MD5
3eb8c476c0abcd01fdb799de83503e12

SHA1
138aa012bb3b20a79aaf016af172a1b3106a7304

SHA256
554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986

SHA512
ed277e52d5348d1401a51f002e9f03bfada6481b2cab827f13fa39d54f5c42d4e4ac6627ced47f98fbc22010b044fb0d09b55c6133fc2746e9e78234975c2f85

Download Submit
memory/2216-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2216-35-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2216-19-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2548-9-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-26-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-29-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-17-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-11-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-32-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-7-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-15-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-5-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-31-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-22-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-13-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2548-37-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2548-36-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-38-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-3-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2548-39-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download