Managed XDR

home-petik-ss-malware-...cos_smoke-loader_vidar (njRAT) — malware analysis report

File info

Filename: home-petik-ss-malware-2025-11-14_bed76b1817eb5d82ae37d023074ba962_amadey_elex_glassworm_hellokitty_luca-stealer_njrat_remcos_smoke-loader_vidar
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 9.6 MB
First seen: 2025-11-14 17:10
Last seen: 2025-11-14 17:10

Environment

w10/x86 en

Hashes

SHA1: 04556145552fb4f10f878439750e232fbc753ebc
SHA256: 1feade2d425a30393136bedbf26077938fe51cf0136d72762b13a36f782e6b17
MD5: bed76b1817eb5d82ae37d023074ba962

Malwares

njRAT

Signatures

Execution

T1569.002 persistence_service: Starts newly created service

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1033 sam_users_discovery: Enumerates users or groups in system with SAM API

T1049 list_ts_rdp_sessions: Lists ts/rdp sessions

T1057 has_wmi: Executes one or several WMI requests

T1087.001 local_account_discovery: Enumerates local accounts

T1082 has_wmi: Executes one or several WMI requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules

accesses_mailslot: Performs a Mailslot ping, possibly used to get Domain Controller information

njrat: NJRat indicators detected

creates_exe: Creates executable files in the file system

create_rpc_bindings: Creates RPC connection

require_administrator: Requests administrator privileges

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

message_box: Displays a message

test_check_service: Starts services

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

open_winlogon_process: Trying to open winlogon process

ce_info: ScreenConnect Configuration Data found

valid_authenticode: The digital signature has been verified

Related reports

Managed XDR