njrat | b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
Size

114KB
MD5

4edd985941bb709aba126d47f208da70
SHA1

402b5012a81fde9c79b108e436a3c8775c32c3c9
SHA256

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376
SHA512

71f1508d54e2a547ecd6989e1017294f5f9459354089573e45b4e33d91875da220e629299de99ff5b418e33daee97d460b6be93a58a4662c5a284bab9811c01d
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDF:P5eznsjsguGDFqGZ2rDF

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2404 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2476 chargeable.exe
2748 chargeable.exe

pid	process
2404	netsh.exe

pid	process
2476	chargeable.exe
2748	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

pid	process
2456	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
2456	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe"	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2476 set thread context of 2748 2476 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2476 set thread context of 2748	2476	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe
Token: 33	2748	chargeable.exe
Token: SeIncBasePriorityPrivilege	2748	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2456 wrote to memory of 2476	2456	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2456 wrote to memory of 2476	2456	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2456 wrote to memory of 2476	2456	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2456 wrote to memory of 2476	2456	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2748	2476	chargeable.exe	chargeable.exe
PID 2748 wrote to memory of 2404	2748	chargeable.exe	netsh.exe
PID 2748 wrote to memory of 2404	2748	chargeable.exe	netsh.exe
PID 2748 wrote to memory of 2404	2748	chargeable.exe	netsh.exe
PID 2748 wrote to memory of 2404	2748	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
"C:\Users\Admin\AppData\Local\Temp\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize
264B

MD5
2de8fb425b947fa27d2afeccbafc39b0

SHA1
039b182078147c6bde0a1cbed41e4d91786cd072

SHA256
5cea1385dee720a2c1fe5faab43a81aa1e801f2fd0e8d8d7e5731846a67cb0a5

SHA512
0601ef9f6afde666563ece54de6416d56d506a821ceefbd3e5756c61b66d56db1d1c09fbafd245c283324283595c4d5e6eb57979ede18eafc6711fd89e82b497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
89fea15463647af38cb1eca2fcc76f56

SHA1
2bf012ba0acd4caca56b8e5db1b52761345b8f69

SHA256
4a3b61ff9bad384566ca11e9c5b496f97182fc231940eacaba9d1ebb9ed2570b

SHA512
7153cade205ccb03b1030aa96649ff0c9ee58ff304320cae0efcce2352d174e67562667f166244bdf6ae26e7dc4c8dbfa956831f32e0c535e44f094c1c255868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bc5ced4de52721c99818ef1ae29afb20

SHA1
665803c712df88346eda32232c58cc5fe6a8da80

SHA256
3869fe722ed9993269cbb397eb6ea6f01c2bc2ee047f849b87eed28cc48d9028

SHA512
ea8118a8a8999e068ac4d5abdeb26f5cccb2c4aec909df3c92e307d010819baf444226dcce1a5f066a92e2358a874265cc264322549db1c958832d8b785b15dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0dcbea13d7961e8d067fd4c2ab9cf87b

SHA1
48ee884975b38c7377f245187e5ca84c7bdc17c1

SHA256
e653cb7132e87dce979281ee56ac5984186b0b510b04d8ee34799b96e6cdab0a

SHA512
13713e72f6f27d68a3dc2c61d44d77ebc2fff5395dd581365352ff22d15a7947723069153a975800f695b85c3745c94635a6fc19a42a3b464d21a334644cd98d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize
252B

MD5
48bd49cd7abebb89ca140a601d65d15b

SHA1
a89c0862d6fbff2d257a1cf53c3e60b4305c3ba7

SHA256
12e6c83c278c8ea7b8e263a6ff6fac736e88b8482807e0ba0ec6a6252fdeb042

SHA512
8a34fc3eae4de89b35826c7d9ace2a0e091b7c673077023428c4fa42fcc8a1b23e679bfa6c6640a70629998a306dc0e2e6c483889756040bc393f03672c0a56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9262.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9284.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9B07.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
114KB

MD5
64c86e3a75e3b6bfdc47b8b31ea96ad9

SHA1
ec0e4ad32f28f33897652c1518c5be9b9219a68a

SHA256
d3e1a1667049b74bbebccd18cc9d3dc9f42e1aa184e8b79a41df4645e6038a4d

SHA512
c0090efa3a55039ac4256a9556a375383032455e4b635972ddc6bb9cd5e018f1376b9fa2a4dbd8452e126a150011fe56d56ef6a687732f71462f8ea2b0751d53

Download Submit
memory/2456-197-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

Filesize
4KB

Download
memory/2456-3-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-1-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2748-369-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download