njrat | ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039

Analysis

max time kernel
146s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe
Size

115KB
MD5

3e124508b39b68317375be75c14e7ff8
SHA1

b885c4facabfd60e597857f45c97a3a4b47dcc29
SHA256

ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039
SHA512

81a35f10a3adfa1635c0957c69f9a0e6688e1e818144169696e018a0c0bc62b3196c3e5930216b0fc81cd68b0441261b5cb428054bad8a7b0e2b56a122e06670
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL0:P5eznsjsguGDFqGZ2rDL0

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2736 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2136 chargeable.exe
2648 chargeable.exe

pid	process
2736	netsh.exe

pid	process
2136	chargeable.exe
2648	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe

pid	process
2936	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe
2936	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe"	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2136 set thread context of 2648 2136 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2136 set thread context of 2648	2136	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2936 wrote to memory of 2136	2936	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe	chargeable.exe
PID 2936 wrote to memory of 2136	2936	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe	chargeable.exe
PID 2936 wrote to memory of 2136	2936	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe	chargeable.exe
PID 2936 wrote to memory of 2136	2936	ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2136 wrote to memory of 2648	2136	chargeable.exe	chargeable.exe
PID 2648 wrote to memory of 2736	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2736	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2736	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2736	2648	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe
"C:\Users\Admin\AppData\Local\Temp\ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize
264B

MD5
ad9178ee2e4e9a42e3f7e2f9f1cf38e4

SHA1
53b15435cf91af0aaacd171917f180135fb4edf4

SHA256
3583016a676fab998b13d4230aa7fcc18f4787142efcbb19f932359c84dfebf4

SHA512
2740c3ce1f38c83e441673344ab1b5526c6fd48bfa50cf38472dbd60e7b79ca94c70835641c620d63be39b147e85f4b12f74d834f79b2653d1c21e47d3b903f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
381287811bd84caae96847f60cc88358

SHA1
0482aad619206c8c43d75da4ba78ea23fae63699

SHA256
998a4945ad5c94d33dc6481947f94e621efe2e3f45221231ad367077172f2076

SHA512
b0e8e26086d895fdde24923c24144428d5052c5514b1042830fa90266d12e8bf9fd96b0067a31e83d03b514907e62f4e08b07d26d0a535273d25b2e58e1f7f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9606b1771b113ef7b813016fe0d01956

SHA1
0189f8967a149f60e19ec8cdae356d80aee76e35

SHA256
d21e6a12fc7b6e21b1117281a270e6d2608b12b890aaa613b79fdb53374fa7ab

SHA512
190d725cb39d1e931faa4fda74b47c9194eb5c775ed084b8c7744cfa7dc3ef9e1f59a9aac589aa221f20eae00291f228036549ed2e0b59c31f25bd7fb499b523

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7c15b12ea963efee7830c1aa4c964aba

SHA1
e0514064cc4595faff0588ac981f3a7dd026fda8

SHA256
d91a52a0b82d7d76381428877e15cfb38888e46d7ca8013493b7529d3a516be3

SHA512
ebda8364c2906972f7b3ef9fed4f8e4f56adae73f0bd684ad57575f7651046546693bebc3a6761447cdc69df71a2db5fdd8bb59273ee71ecd9180104509677a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize
252B

MD5
bcb0efc8531390664f6421a5dacbc625

SHA1
1de9a0f8310938cacfa2ab56b5243c4aed5bf49e

SHA256
39f5bcffdd0bbf05c09cee13192a017a9e0e3ca0b0984572f76831179e43f233

SHA512
4f4e3f5b4b2a270d9576d0e109aeb346d94924126581e7382656e5c52ebb5de2adc06c490bb7871aa2ac89a82c8c3b86791331ab4ca501d97b1215a4d854b132

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab14BB.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14CD.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17D4.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
115KB

MD5
80bf2a47e4b69c3663e423465c87d016

SHA1
d14a7062506fa603de7b3020e485447b9a7a10d7

SHA256
ec417422a5d304d32a11e2c96708f9afce1ab4bef1cecc4b2309aae7198cb15c

SHA512
eb9bf92aacafe10b9f0a22ec50a040b0db249f3007f144b47e3f851e4f0d8daaf8bd5988f67e470cbc2313e1a8b9c46fde182bd0178c860b9aa9217a86644bb4

Download Submit
memory/2648-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-369-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2936-214-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-0-0x0000000074401000-0x0000000074402000-memory.dmp

Filesize
4KB

Download
memory/2936-2-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-1-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download