njrat | 7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe
Size

115KB
MD5

84743b0c88be2cf9eb6874d119cd8299
SHA1

5bba4db84815e84007e8828efa5ca6e46acd250a
SHA256

7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7
SHA512

dce296849d40ecba1d158adbe2f672165feb02bb101bdcb911e7cf5ebe353213611d2a254bdfeeeb33a90560be535bb147df44353d9391f7a9b818d43eb7b7b5
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLS:P5eznsjsguGDFqGZ2rDLS

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2504	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
1612	chargeable.exe
2980	chargeable.exe
2476	chargeable.exe
3004	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
840	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe
840	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe"	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 2476	1612	chargeable.exe	31
PID 1612 set thread context of 2980	1612	chargeable.exe	30
PID 1612 set thread context of 3004	1612	chargeable.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1612	840	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe	28
PID 840 wrote to memory of 1612	840	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe	28
PID 840 wrote to memory of 1612	840	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe	28
PID 840 wrote to memory of 1612	840	7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe	28
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2476	1612	chargeable.exe	31
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 2980	1612	chargeable.exe	30
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 1612 wrote to memory of 3004	1612	chargeable.exe	29
PID 2476 wrote to memory of 2504	2476	chargeable.exe	32
PID 2476 wrote to memory of 2504	2476	chargeable.exe	32
PID 2476 wrote to memory of 2504	2476	chargeable.exe	32
PID 2476 wrote to memory of 2504	2476	chargeable.exe	32

C:\Users\Admin\AppData\Local\Temp\7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe
"C:\Users\Admin\AppData\Local\Temp\7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:3004
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:2980
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
93fb9ce1f75ee2989e03a67e004fa139

SHA1
40fb8450402d0aee2ccc902cd1b2bbfe7ecf1f56

SHA256
295e3a5f76aa5d50fa379970ecef7c75874a0ecff42a6242cba572f3b6587e1f

SHA512
5adb57674908bc1a40b404cc710dbe8752f9d5ecb4112f559d25f5e27c17ffc3a06aac296ba76a165247d5c04e1665d75ed87fcd9a5999d89eab8a884b263956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
389cca43f0cff7a25c33196287f80333

SHA1
a87b79e043b321c79703069b0e9f72aad4162b3c

SHA256
fe4d1056bf6a3d00727cb33b8b2d0e5ea813045961d73ec88a90a3ed4129d7d0

SHA512
ab0581cf2a30745d7fcf4fc5500dbd4a895c16196264b59275c7167e9f3e5a7f7c8f017630aad7e1b393bf619745606e2a7bcfeb5f3e3ae41a085123d810cba0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0b6c9dd578f695f9c2ed6198bb8de57d

SHA1
9901d5025a39b31a4067c990c9907230ac268609

SHA256
6eb3deccc19f52d59206abca6d5289a4b7641c576b679346bd4821ff8b4a7e3a

SHA512
f0bd13deba024fb78d507cbb84cda23efa07b5f19e13f5f6c9c74007d0acf3aaf6d68425bbaa589cda311f81b5614743ec4fd2e490e21f7a72ebadbf1a767ea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
71412c4f5fa443e8ed6131238e154a28

SHA1
86924e9612dab546388b3ef60be7cad475db9cc4

SHA256
3b34a3104b30065ddb78bec96ac8e3fcb6739c5cf0358289eeaa0f5a5edd548d

SHA512
9b3322453293c0bb235425088e98180cd802377186c54bfcc2b1e183da76eb3f732ea4c157bcfe95bf1454d5a406c7eeab14bea5b95ef8042bd3d8fb279185e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
e908bb05937f76e29e3ee8b26427cb95

SHA1
b01dac11b946d0880d752d279f10939795f90fd5

SHA256
3f06ffb6f85de5882538ec107102d90ee6badd9c20f17359cf9e44702fcb542f

SHA512
633fa9839bb309adeb2139730b64e657aaa0b833277941bf81ced8bf78373361c77164e6f81604a155828205a8bc5cc828e365ea3fef5eee078787c5f9920d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab126A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar127D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1545.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
115KB

MD5
c8f9754e3d5365e130267b7983290896

SHA1
726825ca8c83d6a5573fdac64400acb3fceaff4c

SHA256
9dfd62a5629d84625a9508e0f420ca6339c9ac2d6b25361d568b25a59f5d85f0

SHA512
d2b961fd430f21673679d65c64ac0b4af1f0248e0b17791ef83503cc7647dc5d6a7f4cb07a437365def4a95bb0fb782da7a45c8adb86416a4c5aa364e25f5075

Download Submit
memory/840-206-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/840-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/840-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/840-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2476-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2476-373-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2476-372-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads