njrat | 3f79c48003089ef4f35e9fdcfaeba9323c1a80251e91a3f1bd3673d2ec02a506

General

Target

aff78e3bfeb28385f20384fc6e3f3327.exe
Size

100KB
MD5

aff78e3bfeb28385f20384fc6e3f3327
SHA1

d448f9c3a5df6c8ae81e3178f14b39ce63619b7d
SHA256

3f79c48003089ef4f35e9fdcfaeba9323c1a80251e91a3f1bd3673d2ec02a506
SHA512

9e7fbbe9ba4914828859936f5ad6330a65b1aa58afe26a611a0b6f3d16a5387a4b707790ccb2d67a822f6fc14c4f92b48fbbfffc3af4a04e329daf78ca1d54ee

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

996 chargeable.exe
1560 chargeable.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
996	chargeable.exe
1560	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aff78e3bfeb28385f20384fc6e3f3327.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	aff78e3bfeb28385f20384fc6e3f3327.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aff78e3bfeb28385f20384fc6e3f3327.exe"	aff78e3bfeb28385f20384fc6e3f3327.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 996 set thread context of 1560 996 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 996 set thread context of 1560	996	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe
Token: 33	1560	chargeable.exe
Token: SeIncBasePriorityPrivilege	1560	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

aff78e3bfeb28385f20384fc6e3f3327.exechargeable.exechargeable.exe

description	pid	process	target process
PID 4092 wrote to memory of 996	4092	aff78e3bfeb28385f20384fc6e3f3327.exe	chargeable.exe
PID 4092 wrote to memory of 996	4092	aff78e3bfeb28385f20384fc6e3f3327.exe	chargeable.exe
PID 4092 wrote to memory of 996	4092	aff78e3bfeb28385f20384fc6e3f3327.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 996 wrote to memory of 1560	996	chargeable.exe	chargeable.exe
PID 1560 wrote to memory of 3212	1560	chargeable.exe	netsh.exe
PID 1560 wrote to memory of 3212	1560	chargeable.exe	netsh.exe
PID 1560 wrote to memory of 3212	1560	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe
"C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
PID:3212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
MD5
33b323c15555929c70c286920f658bbc

SHA1
0b12cd2ae60c717f2687103be76dd21841338a64

SHA256
1fc5f1cfb7c70c8be091d216610b21939e399995130cf1a0320d00dcc26017e7

SHA512
9bb73d2eb87bbe889817b48974e606672779c517119137e2ec83fb4754a580509811343caf3b4e2128b2d1872b3971d09a782bbf8464520a24b040fec508385c

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
545f91c378997f86c1963fbdeae5c463

SHA1
2a8dc0913b0b70f54aab784331408211acc4ebfe

SHA256
200491a7b5247f2dea5f3576ce55990e2bfcbd10b36fcbc1fbb5f42aaac6f4b2

SHA512
314b36f632777b5b96c3eaa7b5d7560db28bf1d9431eb582895c09f735217de42d18881c778f492617ff3aff4375c57a8193c51119e5f47af4235e2682d80505

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
545f91c378997f86c1963fbdeae5c463

SHA1
2a8dc0913b0b70f54aab784331408211acc4ebfe

SHA256
200491a7b5247f2dea5f3576ce55990e2bfcbd10b36fcbc1fbb5f42aaac6f4b2

SHA512
314b36f632777b5b96c3eaa7b5d7560db28bf1d9431eb582895c09f735217de42d18881c778f492617ff3aff4375c57a8193c51119e5f47af4235e2682d80505

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
545f91c378997f86c1963fbdeae5c463

SHA1
2a8dc0913b0b70f54aab784331408211acc4ebfe

SHA256
200491a7b5247f2dea5f3576ce55990e2bfcbd10b36fcbc1fbb5f42aaac6f4b2

SHA512
314b36f632777b5b96c3eaa7b5d7560db28bf1d9431eb582895c09f735217de42d18881c778f492617ff3aff4375c57a8193c51119e5f47af4235e2682d80505

Download Submit
memory/996-2-0x0000000000000000-mapping.dmp

Download
memory/1560-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-6-0x000000000040748E-mapping.dmp

Download
memory/3212-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads