njrat | 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Size

114KB
MD5

4be9986eb800ea45ff736671e9756ffe
SHA1

e30372bd80efe2da17d21e4026ab2a42b1572290
SHA256

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6
SHA512

4fb83428ad5899f2134dad76fb4c098b5037d1c0e5d8924741fab9d75b003838b15756cd4016cdfd99da82ff6913d6d6efc7ae9f3beaa1995346ef0ef5d46d22
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6QK:P5eznsjsguGDFqGZ2rih

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3024 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2112 chargeable.exe
2648 chargeable.exe

pid	process
3024	netsh.exe

pid	process
2112	chargeable.exe
2648	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

pid	process
1660	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
1660	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2112 set thread context of 2648 2112 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2112 set thread context of 2648	2112	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exechargeable.exechargeable.exe

description	pid	process	target process
PID 1660 wrote to memory of 2112	1660	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 1660 wrote to memory of 2112	1660	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 1660 wrote to memory of 2112	1660	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 1660 wrote to memory of 2112	1660	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2112 wrote to memory of 2648	2112	chargeable.exe	chargeable.exe
PID 2648 wrote to memory of 3024	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 3024	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 3024	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 3024	2648	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
"C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize
264B

MD5
7ecbc25841a0ac424626b75d3f423050

SHA1
76d29778e67663961e01593d465567dd27623227

SHA256
57225550fe7af0ad9846d6f7c607219e8ace891426c105d341703d694c19e070

SHA512
eff7e16630729c30b2a306525a9788267503eaa9fe7eb396c22f641ebcacce2b83084a553017eba4c96028e55818e5901aa2ba5295547b19ed64230eed385d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7b1a3f6a086c6ceb0431377236c5ea6b

SHA1
c657c637c472806e923c2bf132e69a01eedd6e78

SHA256
29070f961014455b9ae96cd8f75460b8a2e063a110cd226d2489168fa6eb730e

SHA512
f524ae36731197839a867d79b298f334f96b40297b11524763e0581f9ce6355f1897d76690285e395a185d47864c691f1172aa4b9e38cd324c23f60537e9bde8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
054e490846cb2197dffc7e8cc01f1164

SHA1
40a76d707eefbfd969e910d0b44e1cb136a9e892

SHA256
ffea3eca80c77d366bd38600885e0a8dcd183f3f6099b3cdeea26015a546340d

SHA512
efb2cf147aedb2ffb5eceef5092965dae5793f5869b421158ec91e68b3476f033847138d956d6637d77f68ce3fb358736a587cfd0f2f428f4f367597d58f5132

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8432af2c8269b106912cf17756cd8bcd

SHA1
7f2226828c4014f70c878184b772b6676173fc5f

SHA256
e30a79cb01fc2de0afb2dc8ba9cfef96280dad5c20d48324c651dc2a112d714b

SHA512
cb6b88434104d0367a241014b736871ae6f6d81817a811f08b8c363158db2791c77b4bd932cbc8ceac013e95d4372663be665c9331791f4fe5f36a8311aae942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize
252B

MD5
fc435fce8d07439252a4bdc3526f2e6a

SHA1
f5dfe9bd201ecd2cff00a0b6a1fa54f2e6c1d22a

SHA256
7f0ad0cf6b853c3fc0dc86b72a33c31e052db44e354001c292457e98c974dd5a

SHA512
1c63a8e21b1ea7ab6590fb77211a6190d84325eef36404858f0bcf1ded3f4a0570963a80bcfa5ffcba00c4037ae41a66144d9100ecce2fd7c037f7125dcf1bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
f74b840ff69fbafef410944486cc116c

SHA1
60f056641143d6173273ecd077630113f51049d7

SHA256
482079d438ee602f55c8223de3924d17d8f31e400d3900a636154e95038bc64a

SHA512
19ebf6b286f2ae2b987ce1c6db2112e85a7ffba1164b05ab0bfb32ee43e21ee183e6b9d0d8a4333c42d98737f728bdf9c110aeee0cc214d5134d398036122e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar122F.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
114KB

MD5
fb5351c37e1d787a63f36404e09cbfb8

SHA1
d899f0e8d511b4de6edea788df18d8c629ec304e

SHA256
6e286ead6ec8eea46e96986bd1e5859f13d072c32e763a804b426dafba0bb58c

SHA512
d7baa4f291ae38275d64069be156b072bb4ee718d6132aa8089acee4ab56a8cfefcaf610a1e9d53fe668908f30cf9387a7eb313571a42d5b3f3351b5aebeab96

Download Submit
memory/1660-0-0x0000000074031000-0x0000000074032000-memory.dmp

Filesize
4KB

Download
memory/1660-200-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-1-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-362-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-364-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-365-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download