Malware Analysis Report

2025-03-15 06:23

Sample ID 241004-h5tw6svfme
Target 3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N
SHA256 3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649
Tags
njrat hacked discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649

Threat Level: Known bad

The file 3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-04 07:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-04 07:19

Reported

2024-10-04 07:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\634.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\634.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\634.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe C:\Users\Admin\AppData\Local\Temp\634.exe
PID 548 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe C:\Users\Admin\AppData\Local\Temp\634.exe
PID 548 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe C:\Users\Admin\AppData\Local\Temp\634.exe
PID 548 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe C:\Users\Admin\AppData\Local\Temp\634.exe
PID 1052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\634.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\634.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\634.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\634.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1808 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1808 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1808 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 1808 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe

"C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe"

C:\Users\Admin\AppData\Local\Temp\634.exe

C:\Users\Admin\AppData\Local\Temp\634.exe

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 ngm.ddns.net udp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
US 8.8.8.8:53 ngm.ddns.net udp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp

Files

memory/548-0-0x000007FEF602E000-0x000007FEF602F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\634.exe

MD5 0d8a343211304f814f65335471e575ee
SHA1 d1ab93fd810e66c3d907c90e9453b32a643745ce
SHA256 a21da1a7600570c13dd498a96168563683f1606ee0ea79e934aafff7d78f4fad
SHA512 0d0a86604b41a06f090d9e2c51a3c27e4ed33b82379861b612a89f00cda5f135854ce0be62ac029cd44ea2b7bc3f3e4ff18a1cdce65fe97f0da9e0afe61ea7db

memory/548-6-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

memory/1052-8-0x0000000074712000-0x0000000074714000-memory.dmp

memory/1052-7-0x0000000002210000-0x0000000002250000-memory.dmp

memory/1052-9-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/1052-17-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/548-18-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-04 07:19

Reported

2024-10-04 07:21

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\856.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\856.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42b6019350ac5d33a1fa8d0a74849f88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\856.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe

"C:\Users\Admin\AppData\Local\Temp\3b9380136a78bbcaddb4b35df124ff4bc6843448b663435e74208f2f8e443649N.exe"

C:\Users\Admin\AppData\Local\Temp\856.exe

C:\Users\Admin\AppData\Local\Temp\856.exe

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ngm.ddns.net udp
EG 197.56.124.218:6060 ngm.ddns.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
US 52.111.227.11:443 tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
US 8.8.8.8:53 ngm.ddns.net udp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp
EG 197.56.124.218:6060 ngm.ddns.net tcp

Files

memory/1476-0-0x00007FFB1CC15000-0x00007FFB1CC16000-memory.dmp

memory/1476-1-0x000000001B470000-0x000000001B516000-memory.dmp

memory/1476-2-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp

memory/1476-4-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\856.exe

MD5 0d8a343211304f814f65335471e575ee
SHA1 d1ab93fd810e66c3d907c90e9453b32a643745ce
SHA256 a21da1a7600570c13dd498a96168563683f1606ee0ea79e934aafff7d78f4fad
SHA512 0d0a86604b41a06f090d9e2c51a3c27e4ed33b82379861b612a89f00cda5f135854ce0be62ac029cd44ea2b7bc3f3e4ff18a1cdce65fe97f0da9e0afe61ea7db

memory/3556-8-0x0000000074D32000-0x0000000074D33000-memory.dmp

memory/3556-9-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/3556-10-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/1476-11-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp

memory/1476-18-0x00007FFB1C960000-0x00007FFB1D301000-memory.dmp

memory/392-23-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/392-24-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/3556-25-0x0000000074D30000-0x00000000752E1000-memory.dmp

memory/392-26-0x0000000074D30000-0x00000000752E1000-memory.dmp