Malware Analysis Report

2025-03-15 06:24

Sample ID 240927-n3j7va1emr
Target e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N
SHA256 e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855
Tags
njrat hacked evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855

Threat Level: Known bad

The file e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N was found to be: Known bad.

Malicious Activity Summary

njrat hacked evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-27 11:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 11:55

Reported

2024-09-27 11:57

Platform

win7-20240729-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe

"C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp

Files

memory/2652-0-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp

memory/2652-1-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2652-2-0x0000000000420000-0x000000000042C000-memory.dmp

memory/2652-3-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 c74de5c9d74cc46305a5b548b70e94d0
SHA1 ffe5388c48ec856a62c9269e7bb51cfd5c352317
SHA256 e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855
SHA512 94ca7cee4ebbf3a4334925c775f843c38ec4f3d5eb1c1d5d75aa941639d93c5851ac080edd5227650824d82c98cb8a054efc09f135d4b3b1b0fc98765c00cba0

memory/2192-10-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2652-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2192-11-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2192-12-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2192-13-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 11:55

Reported

2024-09-27 11:57

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe

"C:\Users\Admin\AppData\Local\Temp\e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855N.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp
N/A 127.0.0.1:5552 tcp

Files

memory/812-0-0x00007FFE70CD5000-0x00007FFE70CD6000-memory.dmp

memory/812-1-0x000000001B740000-0x000000001B7E6000-memory.dmp

memory/812-2-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp

memory/812-3-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp

memory/812-4-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

memory/812-5-0x000000001BCC0000-0x000000001C18E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 c74de5c9d74cc46305a5b548b70e94d0
SHA1 ffe5388c48ec856a62c9269e7bb51cfd5c352317
SHA256 e4a773a3fd811af52ce9a7ad8fd62b6ad4d982feca495c3f36628eaa5d1dc855
SHA512 94ca7cee4ebbf3a4334925c775f843c38ec4f3d5eb1c1d5d75aa941639d93c5851ac080edd5227650824d82c98cb8a054efc09f135d4b3b1b0fc98765c00cba0

memory/4484-18-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp

memory/812-19-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp

memory/4484-20-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp

memory/4484-21-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp

memory/4484-22-0x000000001C8F0000-0x000000001C98C000-memory.dmp

memory/4484-23-0x00000000017F0000-0x00000000017F8000-memory.dmp

memory/4484-24-0x00007FFE70A20000-0x00007FFE713C1000-memory.dmp