njrat | 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
Size

114KB
MD5

4761e6f3d54c1e51e2603a9d2d18ea4f
SHA1

534b9a87230fba1c8ca84b306dd4f61725fd8d78
SHA256

585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db
SHA512

452a7c4db915a0c80bc98339f192bda361973ea0cb9ee3ae2ee7cf3872efbb73c1c3f17b8be09aab3b23f7421b41d663c9b6529185e20b23a28bb04c239983d5
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6e:P5eznsjsguGDFqGZ2rie

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2632 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2836 chargeable.exe
3012 chargeable.exe

pid	process
2632	netsh.exe

pid	process
2836	chargeable.exe
3012	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe

pid	process
3060	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
3060	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe"	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2836 set thread context of 3012 2836 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2836 set thread context of 3012	2836	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe
Token: 33	3012	chargeable.exe
Token: SeIncBasePriorityPrivilege	3012	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exechargeable.exechargeable.exe

description	pid	process	target process
PID 3060 wrote to memory of 2836	3060	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe	chargeable.exe
PID 3060 wrote to memory of 2836	3060	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe	chargeable.exe
PID 3060 wrote to memory of 2836	3060	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe	chargeable.exe
PID 3060 wrote to memory of 2836	3060	585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 2836 wrote to memory of 3012	2836	chargeable.exe	chargeable.exe
PID 3012 wrote to memory of 2632	3012	chargeable.exe	netsh.exe
PID 3012 wrote to memory of 2632	3012	chargeable.exe	netsh.exe
PID 3012 wrote to memory of 2632	3012	chargeable.exe	netsh.exe
PID 3012 wrote to memory of 2632	3012	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
"C:\Users\Admin\AppData\Local\Temp\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize
264B

MD5
bdabfe548e40baf34403ecb3658bee63

SHA1
a89fbc0e7e021229ee7daa73e5495e3799012652

SHA256
a5bde5786ace7b26ed48e2c41206b43e82ec1745babfb163d8868ab401ea714e

SHA512
88357f71badc3bc494308004b8f8003f89c61cc8b7c19a2a474a8ca43026a5bceb668839c1517f46e37b9431e687894665c42043bdeac64c62e326b8f5bddc89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14e76ea0d2f75800732960dacb7c52ef

SHA1
018400c7a5041daf8a016664446d6ca0536b2125

SHA256
1def6c60bcb4acf17137cb3fbb10602fccd0b2e8105d4a32f73e97f065c43d22

SHA512
8383257b68d3dd8bad7efac21a32b74c827fdb3a1edda192ca3b18ddb46f50efaa9af5595a8f2068cb39fba1959473e29176a5d700aa57369035516c31ba53a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
354866e32b39d0d731b1df2e3717fd5b

SHA1
db603a0bff0aeec56b6e0a896b9f1c1b38d5db49

SHA256
80c76cec917d3e44bb21d9a8553618630acb7196cfdfd4b47b08fccd8b7f07c9

SHA512
cd45cf2a11950f656912bb559c429dfe700d9d4faec9c20d50eeb853d84a53de3f724db9b4ad3e14f34f250373cc0aa0a19f032818ce92bf4167340002979ad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8a632e6c4ee254bb87cd9141c6441083

SHA1
3dbd7f1837b61429664eb2dc82cef667d0da78f5

SHA256
3f566e815383bbd50dd856a76a28f4ca397d2a35a5bff709dff0d752a13114f1

SHA512
cee3203db01b3cd74fcb3cc0afe3b667f7bf2e1828faf6e478aa0cdbd3e06c46282abca0ff0b79fa859ed15420c0e41b2fd69d0a0ee3167b1b62bfeb6b962614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize
252B

MD5
94375775dc3e74c6eb22486fe0ff6d72

SHA1
8e693114f757d83a4f0ed4d22123bc5694435315

SHA256
62a700a3146a1dc84f9a1d299460022a9c71bd6d71a00e41afef3018b0c1b38c

SHA512
064f2ffde1c47ec4a10dc9ee69a1f54a51378046a91d75ad949eeb3eb7235d059add0744fe0457454efd7a8cd4e61f04753128f4bcf2ffbbbef9e6236416a483

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
8fd0efcb2c6dc4efa82254919b8ee567

SHA1
d4780cd13a3e6ccdfa2cf82748f238c0a66ce7f5

SHA256
e39eebef6cd636cc622af4973e705f5dee715cb6462cbdb17da113236eb32a96

SHA512
78e4156797457123f661418c8903efba41fbdf8b042f6fddf0fed016b3aa1e7ceb919fb2b74bd87b275748eb8e8e1a2bb90b77f2dec7a39aa2888a6097ca3eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EDB.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
114KB

MD5
3505d371c71a83cf4c17f160fe4d6dae

SHA1
eb35753983d3c89ecdb0f01f9cc96da5a2dd3b08

SHA256
f42fcbbea8c76c78b7e296292c3f1b347d83b2cb7ce36cc479987d79500ac3b6

SHA512
c9da423c1a5b3fe194c2fca10f15a2f6a984d5b4388bacd8cfc29641cdf861aad9f955a4d73f27a1ee8b0b4f060eae96d185b8ffd696cc5bae2b6a9ff2453b2c

Download Submit
memory/3012-362-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3012-365-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3012-364-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-191-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/3060-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download