njrat | 1eebfaa3d4a78af444093bf5e6287445a992b02a522ca12d5d9672ec88204048

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Size

158KB
MD5

3eb8c476c0abcd01fdb799de83503e12
SHA1

138aa012bb3b20a79aaf016af172a1b3106a7304
SHA256

554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986
SHA512

ed277e52d5348d1401a51f002e9f03bfada6481b2cab827f13fa39d54f5c42d4e4ac6627ced47f98fbc22010b044fb0d09b55c6133fc2746e9e78234975c2f85
SSDEEP

3072:tf/J2ULiTehI8FrkZTFieSzoSUYSziUP0ZMJG:32UL2i9FKFHd4SziUP0

Score

10^/10

njrat mybot evasion trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

asero23.ddns.net:5552

Mutex

863290bfb622fdfe0ad4e1b97536ae62

Attributes

reg_key
863290bfb622fdfe0ad4e1b97536ae62
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3012	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/220-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-3.dat	upx
behavioral2/memory/220-10-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: 33	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
Token: SeIncBasePriorityPrivilege	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3948	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	84
PID 220 wrote to memory of 3948	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	84
PID 220 wrote to memory of 3948	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	84
PID 220 wrote to memory of 1204	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	89
PID 220 wrote to memory of 1204	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	89
PID 220 wrote to memory of 1204	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	89
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 220 wrote to memory of 3464	220	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	90
PID 1204 wrote to memory of 2324	1204	cmd.exe	92
PID 1204 wrote to memory of 2324	1204	cmd.exe	92
PID 1204 wrote to memory of 2324	1204	cmd.exe	92
PID 2324 wrote to memory of 3192	2324	net.exe	93
PID 2324 wrote to memory of 3192	2324	net.exe	93
PID 2324 wrote to memory of 3192	2324	net.exe	93
PID 3464 wrote to memory of 3012	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	94
PID 3464 wrote to memory of 3012	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	94
PID 3464 wrote to memory of 3012	3464	554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe	94

C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
"C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:3948
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:3192
- C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
  C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe" "554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Filesize
158KB

MD5
3eb8c476c0abcd01fdb799de83503e12

SHA1
138aa012bb3b20a79aaf016af172a1b3106a7304

SHA256
554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986

SHA512
ed277e52d5348d1401a51f002e9f03bfada6481b2cab827f13fa39d54f5c42d4e4ac6627ced47f98fbc22010b044fb0d09b55c6133fc2746e9e78234975c2f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986.exe

Filesize
104KB

MD5
7bae06cbe364bb42b8c34fcfb90e3ebd

SHA1
79129af7efa46244da0676607242f0a6b7e12e78

SHA256
6ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a

SHA512
c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf

Download Submit
memory/220-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/220-10-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3464-2-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/3464-6-0x00000000743E0000-0x0000000074991000-memory.dmp

Filesize
5.7MB

Download
memory/3464-8-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/3464-7-0x00000000743E0000-0x0000000074991000-memory.dmp

Filesize
5.7MB

Download
memory/3464-11-0x00000000743E0000-0x0000000074991000-memory.dmp

Filesize
5.7MB

Download
memory/3464-12-0x00000000743E0000-0x0000000074991000-memory.dmp

Filesize
5.7MB

Download
memory/3464-13-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download