njrat | 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Size

114KB
MD5

4be9986eb800ea45ff736671e9756ffe
SHA1

e30372bd80efe2da17d21e4026ab2a42b1572290
SHA256

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6
SHA512

4fb83428ad5899f2134dad76fb4c098b5037d1c0e5d8924741fab9d75b003838b15756cd4016cdfd99da82ff6913d6d6efc7ae9f3beaa1995346ef0ef5d46d22
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6QK:P5eznsjsguGDFqGZ2rih

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2564 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2012 chargeable.exe
2588 chargeable.exe

pid	process
2564	netsh.exe

pid	process
2012	chargeable.exe
2588	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

pid	process
2020	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
2020	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2012 set thread context of 2588 2012 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2012 set thread context of 2588	2012	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe
Token: 33	2588	chargeable.exe
Token: SeIncBasePriorityPrivilege	2588	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2020 wrote to memory of 2012	2020	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 2020 wrote to memory of 2012	2020	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 2020 wrote to memory of 2012	2020	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 2020 wrote to memory of 2012	2020	5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2012 wrote to memory of 2588	2012	chargeable.exe	chargeable.exe
PID 2588 wrote to memory of 2564	2588	chargeable.exe	netsh.exe
PID 2588 wrote to memory of 2564	2588	chargeable.exe	netsh.exe
PID 2588 wrote to memory of 2564	2588	chargeable.exe	netsh.exe
PID 2588 wrote to memory of 2564	2588	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
"C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize
264B

MD5
37549294a76a582acc3c536305774f21

SHA1
85b6c4cf7aa401895e3429b409b647befcfdf335

SHA256
9b8357ec997d97f8dcbc44728c5aded6186916987b45680e656bc45c5e163f4a

SHA512
ea2c790c8fd67d8bfd4ae595ac840dac49c4ed7a40d41021c5d300023b613457672de8195acc9a9cf488c79aa76df090db15a0f329ca2bc7ee11a52bbfef2987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3a5bfe0eaf3d61f1dde450bb0650b7cb

SHA1
0e4a4df7ad82830c6a0dd021a0c3fd2f9fa2161e

SHA256
c91ce415bf65bd40d2fe824c0603b9343e8255e4973b4aac22842d3201f4df77

SHA512
fd90e7eb77bf1b1e266b446310f8a3eb5a4f5edabf6239b22895dad778a06c2942f51d3b36a1b28c59e4be8f17b511ebcbe404f7739eba385f293247c6edba7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
56a3a204cd1df50cfe6b4c12e0a927b8

SHA1
691cdd7890e545182dd1d79fdb16e2ef5df0619c

SHA256
07b02a946254868b89597dd9d622371241be93b2e07886575d0696a93b5219b9

SHA512
90a50502b4822fb28739eddd61168ac311a812135ba547191dc0c17f4d9bb1605bf312ab68f261bc9e051954537367976b14fd608ad3932798a958e211c54cc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9d5fa179e2ee5a28d124cb83aa698f33

SHA1
442b3aa105ec68bf0e95df30f57497672a78076c

SHA256
4bd8c783b6902dbf8cb7f85390e75d74d622497b26ec1ab74e771bf87f5bb708

SHA512
05a9236924304bc5e5189676bf2435a6f1077595ca403794a1945330cf51b14f6c453ac5cc1f2ecaba8486dcb65ce553cf4d00c352e6d748c559ef41740331f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize
252B

MD5
1b5b01457f4d822a54edc97254864196

SHA1
41ae2a7c14669726e371c886717cb657683e12bc

SHA256
b81ceb845b21eb6d9f0ba58d8f5812685ac71343d6c1ab86e1267f9b58640be5

SHA512
3e5480f77729b3f0ad44be3b6525d62f5aa352222e6c5121da77d95cd58da447539a5d7fb19dbb5efe8235282cb8d77fb67287f9ea0ef347fed0d23ddece2e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1FC2.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FE5.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4807.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
114KB

MD5
5af06fb1a6eb5606f70696d5fe54f4f1

SHA1
cc1291d8c9de36c5f0878a3b62428131398ad6b6

SHA256
0c04b636b03bae677bf358816d8fc6487cf4304b8a32d5bf08915e7ea430601b

SHA512
c8462e52b18ff14a580bffd2bc12aa4f4f7e39311cff07b70ce365cc65ccdf75026e005cd4fea95c8a41ca8d5ef58371e23639d4fd5954e5d5491c05132b4231

Download Submit
memory/2020-206-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/2020-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2588-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2588-369-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2588-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download