Managed XDR

home-petik-ss-malware-...cos_smoke-loader_vidar (njRAT) — malware analysis report

File info

Filename: home-petik-ss-malware-2025-11-15_07d30288d50557757f4842ad77963b9a_amadey_elex_glassworm_hellokitty_luca-stealer_njrat_remcos_smoke-loader_vidar
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 14 MB
First seen: 2025-11-15 11:38
Last seen: 2025-11-15 11:38

Environment

w10/x86 en

Hashes

SHA1: ffa1ed35609693b5f35b8927e698408e9ee727c0
SHA256: 2d5ef57582d0dbb45d4a14ceedf349290021d01696db233f305ddf9d048e5219
MD5: 07d30288d50557757f4842ad77963b9a

Malwares

njRAT

Signatures

Execution

T1569.002 persistence_service: Starts newly created service

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of the executable file has failed the verification

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1033 sam_users_discovery: Enumerates users or groups in system with SAM API

T1087.001 local_account_discovery: Enumerates local accounts

T1049 list_ts_rdp_sessions: Lists ts/rdp sessions

T1057 has_wmi: Executes one or several WMI requests

T1082 has_wmi: Executes one or several WMI requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules

accesses_mailslot: Performs a Mailslot ping, possibly used to get Domain Controller information

njrat: NJRat indicators detected

creates_exe: Creates executable files in the file system

create_rpc_bindings: Creates RPC connection

net_dumps_in_native: .Net dumps have been found in native PE

require_administrator: Requests administrator privileges

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

message_box: Displays a message

test_check_service: Starts services

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

open_winlogon_process: Trying to open winlogon process

ce_info: ScreenConnect Configuration Data found

Related reports

Managed XDR