Malware Analysis Report

2025-01-22 13:51

Sample ID 240823-phm9fatbnb
Target neverlose injector.exe
SHA256 2e2ff15dba6cd1020b58b08bcdcd1a0cd1a12661baf98bba03f4becc9b8d7a6b
Tags
hacked njrat discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e2ff15dba6cd1020b58b08bcdcd1a0cd1a12661baf98bba03f4becc9b8d7a6b

Threat Level: Known bad

The file neverlose injector.exe was found to be: Known bad.

Malicious Activity Summary

hacked njrat discovery trojan

Njrat family

njRAT/Bladabindi

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-23 12:19

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-23 12:19

Reported

2024-08-23 12:21

Platform

win11-20240802-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe"

Signatures

njRAT/Bladabindi

trojan njrat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe

"C:\Users\Admin\AppData\Local\Temp\neverlose injector.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
GB 104.86.110.122:443 tcp
GB 92.123.142.179:443 r.bing.com tcp
GB 92.123.142.179:443 r.bing.com tcp
GB 92.123.142.179:443 r.bing.com tcp
GB 92.123.142.179:443 r.bing.com tcp
GB 92.123.142.179:443 r.bing.com tcp
GB 92.123.142.179:443 r.bing.com tcp
N/A 127.0.0.1:5552 tcp
US 20.42.73.26:443 browser.pipe.aria.microsoft.com tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
US 20.140.151.75:443 fp-afd.azureedge.us tcp
N/A 127.0.0.1:5552 tcp
US 13.107.253.64:443 fp-afd.azureedge.net tcp
US 152.199.19.161:443 fp-vs-nocache.azureedge.net tcp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
US 52.111.227.13:443 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp

Files

memory/2328-0-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

memory/2328-1-0x0000000000920000-0x0000000000932000-memory.dmp

memory/2328-2-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/2328-3-0x0000000005CF0000-0x0000000006296000-memory.dmp

memory/2328-4-0x0000000074FB0000-0x0000000075761000-memory.dmp

memory/2328-5-0x00000000057E0000-0x0000000005872000-memory.dmp

memory/2328-6-0x00000000054A0000-0x00000000054AA000-memory.dmp

memory/2328-7-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

memory/2328-8-0x0000000074FB0000-0x0000000075761000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 3e1f5eeae74491d8850ef2c8b03a9a3b
SHA1 0c02c9c2550107de6dd0eb740ac5668f292883c0
SHA256 66756c0edf3925de7bcb685385e2a4f0b854cffd796a9e90eb1ed064b1fb0e30
SHA512 7637f0807d88dbceeb68823a044583e2248ac1ba73c000da6560f94075635a27d15970df7e52f8315bdc2f1c45cff6f1ab7690e916b58307a533f8df24329c2a

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 26d98b946f17c556ed48590e1e6afa3a
SHA1 e8f42f8fc64a498a5549da2a7e687f65346ebf84
SHA256 b2b3884625d0b3bc36888649d7c3a9187a29aa782fa68a3dd5ddf82f19ed9f91
SHA512 f09c4a67232efa5cf2a66bae57a2222b89fb45700da028a37598fa6b3cb760a8a84609a4ac91d4b314bc5e32f5f5d198d048ffdb9804b38d93e741a87285884e