njrat | ec52b8ac65ba4eb74edac6e6887c800aa61f6512e0285203c41cad16f789a3fb

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload.exe
Size

55KB
MD5

b6ccfd0a35caa6167c261e548c19108b
SHA1

e594da96bfc5c60324eaac21198d820fdc7f547b
SHA256

ec52b8ac65ba4eb74edac6e6887c800aa61f6512e0285203c41cad16f789a3fb
SHA512

318747d13eef0ffbcc29a09e3666a7671318186f7f1da45d46c950fabca35d4eee77c705e2ac397eae4edab101e862fb23182c50d2b74f49369833fda988d2c8
SSDEEP

1536:lWDM8Dn+QNoB4vZ9Vk7dwmuXKDCwsNMD+XExI3pm7m:wI8Dn+nWTVk7umuXKDCwsNMD+XExI3pm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe
532	Payload.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe
Token: 33	532	Payload.exe
Token: SeIncBasePriorityPrivilege	532	Payload.exe

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/532-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/532-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/532-3-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/532-4-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/532-5-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download