njrat | d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7

General

Target

d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Size

31KB
MD5

d16886dc04d9ce85c604088c886b8fd5
SHA1

49653245efb1cfe5eee9b3452bb83c6718ba5c2f
SHA256

d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7
SHA512

b1bfa78a37e9e8a957c8ff4203f607e952dfa46e0ff3d22706e0d3d44c10f60a2f24f73559d63c5ad919b06b71920b79f8c6b4fad92d57ff8e49c9732f2f82fc
SSDEEP

768:njMXjwpJbb2zxxO56eqvPisfv8yQmIDUu0tiWmj:ikKdisvQVkQj

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2388 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

27 4.tcp.eu.ngrok.io
37 4.tcp.eu.ngrok.io
69 4.tcp.eu.ngrok.io
98 4.tcp.eu.ngrok.io

pid	process
2388	netsh.exe

flow	ioc
27	4.tcp.eu.ngrok.io
37	4.tcp.eu.ngrok.io
69	4.tcp.eu.ngrok.io
98	4.tcp.eu.ngrok.io

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe

description	pid	process
Token: SeDebugPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: 33	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
Token: SeIncBasePriorityPrivilege	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe

description	pid	process	target process
PID 1192 wrote to memory of 2388	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe	netsh.exe
PID 1192 wrote to memory of 2388	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe	netsh.exe
PID 1192 wrote to memory of 2388	1192	d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe
"C:\Users\Admin\AppData\Local\Temp\d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe" "d422eaabc8ad234cbfe79ef20dbbd6386fa5a367c9da869a33cac7379830a6d7.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-0-0x0000000075012000-0x0000000075013000-memory.dmp

Filesize
4KB

Download
memory/1192-1-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-2-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-3-0x0000000075012000-0x0000000075013000-memory.dmp

Filesize
4KB

Download
memory/1192-4-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing