njrat | 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58

General

Target

6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
Size

851KB
MD5

82f01d8c0b2d91ea436408cd47552a9b
SHA1

cf91ce41e81fae3447cc222379c39b24996b5c85
SHA256

6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58
SHA512

0111b9623b48e651918b7c445fd2c76d705f2349e853293dd585abab1f57008d44b70cadfcad55946eec87257edd9267c43003dcf6989feeeb62acdc44f1aa09
SSDEEP

24576:t9WOR12VcEw33nqhjisQiKLUvzD445D7vcUj:t9WObyGLLDKDH

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Fusebux-Instant-Money.exeMoney-To-Your-Fusebux-Account-Instantly.exesvchost.exe

pid process

3368 Fusebux-Instant-Money.exe
4432 Money-To-Your-Fusebux-Account-Instantly.exe
2244 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3148 netsh.exe

pid	process
3368	Fusebux-Instant-Money.exe
4432	Money-To-Your-Fusebux-Account-Instantly.exe
2244	svchost.exe

pid	process
3148	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exeMoney-To-Your-Fusebux-Account-Instantly.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Money-To-Your-Fusebux-Account-Instantly.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db166ddf8eda41ea0294b2b337cfbe9.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db166ddf8eda41ea0294b2b337cfbe9.exe	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3db166ddf8eda41ea0294b2b337cfbe9 = "\"C:\\Users\\Admin\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3db166ddf8eda41ea0294b2b337cfbe9 = "\"C:\\Users\\Admin\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	2244	svchost.exe
Token: 33	2244	svchost.exe
Token: SeIncBasePriorityPrivilege	2244	svchost.exe
Token: 33	2244	svchost.exe
Token: SeIncBasePriorityPrivilege	2244	svchost.exe
Token: 33	2244	svchost.exe
Token: SeIncBasePriorityPrivilege	2244	svchost.exe
Token: 33	2244	svchost.exe
Token: SeIncBasePriorityPrivilege	2244	svchost.exe
Token: 33	2244	svchost.exe
Token: SeIncBasePriorityPrivilege	2244	svchost.exe
Token: 33	2244	svchost.exe
Token: SeIncBasePriorityPrivilege	2244	svchost.exe
Token: 33	2244	svchost.exe
Token: SeIncBasePriorityPrivilege	2244	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exeMoney-To-Your-Fusebux-Account-Instantly.exesvchost.exe

description	pid	process	target process
PID 868 wrote to memory of 3368	868	6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe	Fusebux-Instant-Money.exe
PID 868 wrote to memory of 3368	868	6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe	Fusebux-Instant-Money.exe
PID 868 wrote to memory of 3368	868	6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe	Fusebux-Instant-Money.exe
PID 868 wrote to memory of 4432	868	6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe	Money-To-Your-Fusebux-Account-Instantly.exe
PID 868 wrote to memory of 4432	868	6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe	Money-To-Your-Fusebux-Account-Instantly.exe
PID 4432 wrote to memory of 2244	4432	Money-To-Your-Fusebux-Account-Instantly.exe	svchost.exe
PID 4432 wrote to memory of 2244	4432	Money-To-Your-Fusebux-Account-Instantly.exe	svchost.exe
PID 2244 wrote to memory of 3148	2244	svchost.exe	netsh.exe
PID 2244 wrote to memory of 3148	2244	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
"C:\Users\Admin\AppData\Local\Temp\6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe
"C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe"
2⤵
- Executes dropped EXE
PID:3368

C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe
"C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe
Filesize
169KB

MD5
a1ffe51d09de133a85d71b33d1c19f18

SHA1
2245c4b5d4f1d7652e651d6b1118798b46da8ef1

SHA256
1de72fd0059f708be4bc5c6e4cee135f4abf825806cab4cff0fd6cade44efedb

SHA512
0f6b9a9f8bd3503c6fe70e399691b63c8e044dac55dcffa22696ddcfea30d460c8e1211156a3a4dc02538b2eb7d8464b4a19fb09abb5b268b728ceb09c4bcf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe
Filesize
169KB

MD5
a1ffe51d09de133a85d71b33d1c19f18

SHA1
2245c4b5d4f1d7652e651d6b1118798b46da8ef1

SHA256
1de72fd0059f708be4bc5c6e4cee135f4abf825806cab4cff0fd6cade44efedb

SHA512
0f6b9a9f8bd3503c6fe70e399691b63c8e044dac55dcffa22696ddcfea30d460c8e1211156a3a4dc02538b2eb7d8464b4a19fb09abb5b268b728ceb09c4bcf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe
Filesize
360KB

MD5
8fa430d15200fa6144308a89e197b592

SHA1
715be47225e20e324c5647a6b89fbeba462ef7e2

SHA256
e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3

SHA512
77b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490

Download Submit
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe
Filesize
360KB

MD5
8fa430d15200fa6144308a89e197b592

SHA1
715be47225e20e324c5647a6b89fbeba462ef7e2

SHA256
e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3

SHA512
77b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490

Download Submit
C:\Users\Admin\svchost.exe
Filesize
360KB

MD5
8fa430d15200fa6144308a89e197b592

SHA1
715be47225e20e324c5647a6b89fbeba462ef7e2

SHA256
e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3

SHA512
77b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490

Download Submit
C:\Users\Admin\svchost.exe
Filesize
360KB

MD5
8fa430d15200fa6144308a89e197b592

SHA1
715be47225e20e324c5647a6b89fbeba462ef7e2

SHA256
e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3

SHA512
77b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490

Download Submit
memory/868-132-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/868-139-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/2244-149-0x0000000000000000-mapping.dmp

Download
memory/2244-152-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-154-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmp

Filesize
10.8MB

Download
memory/3148-155-0x0000000000000000-mapping.dmp

Download
memory/3368-147-0x00000000055A0000-0x00000000055F6000-memory.dmp

Filesize
344KB

Download
memory/3368-145-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/3368-146-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/3368-141-0x00000000008C0000-0x00000000008F2000-memory.dmp

Filesize
200KB

Download
memory/3368-133-0x0000000000000000-mapping.dmp

Download
memory/3368-144-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/3368-142-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/4432-148-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4432-140-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/4432-136-0x0000000000000000-mapping.dmp

Download
memory/4432-153-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4432-143-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads