njrat | d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pweijn8t8c.exe
Size

31KB
MD5

d16886dc04d9ce85c604088c886b8fd5
SHA1

49653245efb1cfe5eee9b3452bb83c6718ba5c2f
SHA256

d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7
SHA512

b1bfa78a37e9e8a957c8ff4203f607e952dfa46e0ff3d22706e0d3d44c10f60a2f24f73559d63c5ad919b06b71920b79f8c6b4fad92d57ff8e49c9732f2f82fc
SSDEEP

768:njMXjwpJbb2zxxO56eqvPisfv8yQmIDUu0tiWmj:ikKdisvQVkQj

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2320 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

2 4.tcp.eu.ngrok.io

pid	process
2320	netsh.exe

flow	ioc
2	4.tcp.eu.ngrok.io

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

pweijn8t8c.exe

description	pid	process
Token: SeDebugPrivilege	1924	pweijn8t8c.exe
Token: 33	1924	pweijn8t8c.exe
Token: SeIncBasePriorityPrivilege	1924	pweijn8t8c.exe
Token: 33	1924	pweijn8t8c.exe
Token: SeIncBasePriorityPrivilege	1924	pweijn8t8c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

pweijn8t8c.exe

description	pid	process	target process
PID 1924 wrote to memory of 2320	1924	pweijn8t8c.exe	netsh.exe
PID 1924 wrote to memory of 2320	1924	pweijn8t8c.exe	netsh.exe
PID 1924 wrote to memory of 2320	1924	pweijn8t8c.exe	netsh.exe
PID 1924 wrote to memory of 2320	1924	pweijn8t8c.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\pweijn8t8c.exe
"C:\Users\Admin\AppData\Local\Temp\pweijn8t8c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\pweijn8t8c.exe" "pweijn8t8c.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-0-0x0000000074CA1000-0x0000000074CA2000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-2-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-3-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-4-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-5-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download