njrat | b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
Size

114KB
MD5

4edd985941bb709aba126d47f208da70
SHA1

402b5012a81fde9c79b108e436a3c8775c32c3c9
SHA256

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376
SHA512

71f1508d54e2a547ecd6989e1017294f5f9459354089573e45b4e33d91875da220e629299de99ff5b418e33daee97d460b6be93a58a4662c5a284bab9811c01d
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDF:P5eznsjsguGDFqGZ2rDF

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2636 netsh.exe
Executes dropped EXE 4 IoCs

Processes:

chargeable.exechargeable.exechargeable.exechargeable.exe

pid process

2912 chargeable.exe
2596 chargeable.exe
2476 chargeable.exe
2616 chargeable.exe

pid	process
2636	netsh.exe

pid	process
2912	chargeable.exe
2596	chargeable.exe
2476	chargeable.exe
2616	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

pid	process
2400	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
2400	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe"	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

chargeable.exe

description	pid	process	target process
PID 2912 set thread context of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 set thread context of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 set thread context of 2616	2912	chargeable.exe	chargeable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe
Token: 33	2476	chargeable.exe
Token: SeIncBasePriorityPrivilege	2476	chargeable.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2400 wrote to memory of 2912	2400	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2400 wrote to memory of 2912	2400	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2400 wrote to memory of 2912	2400	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2400 wrote to memory of 2912	2400	b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2476	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2596	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 2616	2912	chargeable.exe	chargeable.exe
PID 2476 wrote to memory of 2636	2476	chargeable.exe	netsh.exe
PID 2476 wrote to memory of 2636	2476	chargeable.exe	netsh.exe
PID 2476 wrote to memory of 2636	2476	chargeable.exe	netsh.exe
PID 2476 wrote to memory of 2636	2476	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
"C:\Users\Admin\AppData\Local\Temp\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
44d6b338d85883c327887b9385d9431a

SHA1
079c96bc3aace57a1b019775b1d74ad34d5ed81b

SHA256
de6551c285393b744bde509dcae0fb05ba8381ff37cbd233a7ccccd76e0d9580

SHA512
873cf8508011f7aaa76799ef791d83044d0641fb89afd5e39d3d283d09ee6e45be601391beb27e12b751ee35fccc38ee54c052b425947732bf941f3fd330d5af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
796cd709e37e9c3f085fde34e8099992

SHA1
cd5feaf3e941b2d9147f6503b5b4bc398fb542a4

SHA256
6e5470bbc196fe8fe35536fe54358a66f04e56f4efb9409861c48f98d8fe780c

SHA512
cc75a6d7411be0ebcada910d8d951786fe8117242d5332dc1c6e500e119bd4a20a514b565b0a6c3520512c0ede0cdc5efc763b1c47679420471d8399a6ffa2af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
939c9984c839ec35e48ba91d5bc3eedd

SHA1
7c424adb4c30f9257e8d6f7396358d3fd9087843

SHA256
b59335c7e36fc93a2fc69e7f2a2752c5bad829a9330a38544345bcfdcfd0dc25

SHA512
22339eafce330fc79c3737b8a14d0e39ad2eb6efaf12ef1de1178f0127c6b6f7a55bd8c4f9290df85c43dcd7b7a5dc6cbe977cf3d3b4945ce186a55136353df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ed2a181282fece84818d9211878ba1f

SHA1
51ef9823b701443fddea96e414a923884527da75

SHA256
a7e028a42d33c97dc69ddc72bd91f5056a847572005f24b61a36a8e1b6a5757b

SHA512
5f9ac8a9324f2ad7dd160da6141af500e629a0946674578db3e4f2c9bf29faf586dfd0a4cc5df995ec0aa195d4530d89c809f3f2ecd401bf0ec94d8056d60eab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
f670cdd09e7b9f75ff29b4e88469b79e

SHA1
24ceff2e375c098110aa64b8db157b102fe29366

SHA256
1ee210310f856ba25d9cee54f664f66afa7ebfb6f16d88be59a727d09b8eaf86

SHA512
c25d1be27d1bcae45e218f88509ee07acb3f4eecb87327eae58a50042f19527f30a15fa6eb83869b4cea3396e423e8ca27a631bbb8fb069880ef63b638557c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab292.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5BB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
114KB

MD5
2970e3af97119a3a6af02682dda417fe

SHA1
5346ab1f9b988c85a62e334d0e65805fb0a67bb5

SHA256
2658cbda6c4bcebe2e6ef806b09c9f81c560d13238bd323e11837aa791d4f05a

SHA512
dff07189dd7cbcacd6a636cd20fa419f8863689c20093c836119f4b30dfa6c2b9d100a7faf065d9f4b4625a41c33e9082f87feb1b044bbaa4d2f7c64cdbd9d86

Download Submit
memory/2400-200-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-0-0x00000000742C1000-0x00000000742C2000-memory.dmp

Filesize
4KB

Download
memory/2400-16-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-1-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2476-373-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2476-372-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2476-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download