Managed XDR

1482741.eml (njRAT) — malware analysis report

File info

Filename
1482741.eml
File type
SMTP mail, ASCII text, with very long lines, with CRLF line terminators
File size
743.2 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
821609c969f9c492ad877a5bd6c56cdbd91501f3
SHA256
e77124e794712e120b5ceed6a155b7ec72db26f1642a257bd9a8e5ad86720218
MD5
013234b297a6bb6a80005eb3958ae457

Malwares

  • njRAT

Signatures

Privilege Escalation

T1055 injection_failed: The attempt to inject into a process has failed
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1055 injection_failed: The attempt to inject into a process has failed
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070 stealth_window: A process created a hidden window

Other

yara_rules: Static rules
unpacker_wrong_base: Possibly, an error occured in the file unpacker
pe_in_bcryptdecrypt: PE found in BCryptDecrypt function
no_graphical_activity: No graphic activity
dotnet_suspicious_resources_names: Dotnet program has suspicious resources names
creates_suspended_process: Creates suspended process
dotnet_antimetadata_analysis: Dotnet program has anti-analysis tricks
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
dotnet_obfuscated: Dotnet program is potentially obfuscated
test_check_service: Starts services
dotnet_use_suspicious_functions: Dotnet program potentially uses suspicious functions/modules
dotnet_suspicious_entrypoint: Dotnet program has suspicious entrypoint
suricata_alert: Malicious traffic detected

Related reports