njrat | fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe
Size

115KB
MD5

24afb670bfc40042810d583d94576877
SHA1

cccb6c6ef2c56d0d3eb22278a337900b410bdceb
SHA256

fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6
SHA512

f68b51b700b68ee4a8084e9d6c6ad8c1bf1c506854bd79f258d4641afb2fcae758b6712f14946718af3ab2f2d929fbec31fd8fdd637c9341e1bb3869e54ce5d4
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIIn:P5eznsjsguGDFqGZ2rDII

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2260 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2072 chargeable.exe
2648 chargeable.exe

pid	process
2260	netsh.exe

pid	process
2072	chargeable.exe
2648	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe

pid	process
2340	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe
2340	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe"	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2072 set thread context of 2648 2072 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2072 set thread context of 2648	2072	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2340 wrote to memory of 2072	2340	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe	chargeable.exe
PID 2340 wrote to memory of 2072	2340	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe	chargeable.exe
PID 2340 wrote to memory of 2072	2340	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe	chargeable.exe
PID 2340 wrote to memory of 2072	2340	fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2072 wrote to memory of 2648	2072	chargeable.exe	chargeable.exe
PID 2648 wrote to memory of 2260	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2260	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2260	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2260	2648	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe
"C:\Users\Admin\AppData\Local\Temp\fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize
264B

MD5
e8dfae196a6ba8cabc5a0c503cbd1397

SHA1
8d4082c6adddf98c13ecbe4f344e6cc9df995b24

SHA256
e068fdd9a442c986aa3c7374793f16f2287b1a4758cbf3a5b39b20683c7d9913

SHA512
9d509e6d20ee1fe0aea4aee2bc8ff43fe346a463bfb9c80a43a55a3291e52f4a7c1e6c1157a8a9101d17587a4dc10c3354aec312ed16249bfd324de10bb7930e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
856f6ed1d8a30672a7a5f035c9d7747d

SHA1
0c7700aef30f53a0d5550e474f40debe9435f9da

SHA256
8fb7351a8c9df00b3b8f286d949781810b822def10e583456a79fd0c2229e0ae

SHA512
e26d8d2ae3cde6affdd59c7d4c7e3bc12fbf1364e84116465428a6ec8e9709c58d8a0670db1760edf7cd6c0b94258db12f3957363cea1dba1ffead31c6ef7ea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
83cc71690361cfd2fc058b31db703594

SHA1
958c6a0d57a0c183c5b0af71d3d32ca3aa21f8fb

SHA256
30c0e45410efdf20ff4a019dad9c46761c809a862c0b7fa3287373c4d18e57bd

SHA512
811fabd6e10ece35521d224e7ce1af048d436f57d88b4131f6ff37360a0cd9c0069ee99f36a5a0bc4b40c7e8b391c1e158930f39a0385e0a0b79760aacbf6a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1920bc491f6693a89db6b17bcc6e5105

SHA1
86f9692b6b66897dba1b3a4a737ad48d822eca37

SHA256
6eb8bbc022f02ffe50a635d8d553af4b6c885e3b826a168b5489efbed05ab27b

SHA512
bfe604deb5994e82a711843bcfa37a48a5c15551023930b5f5ccfac6bd2c8a6a6b2bd4534ce9f70257a3d62dbfd0b648cbb9d76ea422061263487dd351604d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize
252B

MD5
058aa1c202b6e92c3f8500b3945b9855

SHA1
d67b601105489f8ac54444898f9143573b5dd9c1

SHA256
4f66b910cccd1a3cfa82c38b8734f44c8d056b2a3a11ab2307d177bae2cf777c

SHA512
c5111580124ba6e3cadc11193a754c3619f9eebb135a5286365b9e9dc001ab3cecb875fe002db3988d11f67dd356304d7dee803c779284a857c4655fb8f082d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
0dc53ce99d8712a5523b80b6d5c2dd37

SHA1
bf2761b5408ae55b2813d0cf85d4cb4262f61204

SHA256
d5de21e7fe3070f8d6beae62c5fe1f528c98489b5cb8ed6da19d5253ba02a185

SHA512
f0b058e7e2f93fd73484bb4ae8183923107b24d81ff67dac4d153a42578b2ff49a1a742bd729caa66f0b5051a4641ffbb560694a431d91594d096dda513aa1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA14.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
115KB

MD5
63ae91ec09e26df6c4dc974485eee0be

SHA1
6eccc804fde1396d6e30163e88fa92b9ff82659e

SHA256
ee70ad8ec5ddcc347055af38937be896a1dd34d45e2eb7fd5222e9c4aa1b01ed

SHA512
e51eccf72c3100a5f795b8ecd569bbfe5b281b2d3b4a0112f5b4dbea31cfd531a6440660ff74c2df5e4abb4f5ebda6480f3b731d8d70bf987ef8252398027313

Download Submit
memory/2340-203-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-0-0x0000000074881000-0x0000000074882000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-1-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-363-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-365-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download