njrat | 2d36ee83d5349c163250cf5f782d0be89dd882c576682a570d0ae236e8dd1c93

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B68C1DC7F15C7A2C348BA64D3B79830A.exe
Size

115KB
MD5

b68c1dc7f15c7a2c348ba64d3b79830a
SHA1

416fdb5760bc35444e85d94211fda90c77debb86
SHA256

2d36ee83d5349c163250cf5f782d0be89dd882c576682a570d0ae236e8dd1c93
SHA512

83da9918538b52173b1446722efde1ccd65845838f508df574d27b479a78f06b770eac2badda0048b53a9e6f82f5dc7b37302b387b120374c624cf83550cdea2
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIy:P5eznsjsguGDFqGZ2rDIy

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2604 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2280 chargeable.exe
2648 chargeable.exe
Loads dropped DLL 2 IoCs

Processes:

B68C1DC7F15C7A2C348BA64D3B79830A.exe

pid process

2868 B68C1DC7F15C7A2C348BA64D3B79830A.exe
2868 B68C1DC7F15C7A2C348BA64D3B79830A.exe

pid	process
2604	netsh.exe

pid	process
2280	chargeable.exe
2648	chargeable.exe

pid	process
2868	B68C1DC7F15C7A2C348BA64D3B79830A.exe
2868	B68C1DC7F15C7A2C348BA64D3B79830A.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

B68C1DC7F15C7A2C348BA64D3B79830A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	B68C1DC7F15C7A2C348BA64D3B79830A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B68C1DC7F15C7A2C348BA64D3B79830A.exe"	B68C1DC7F15C7A2C348BA64D3B79830A.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2280 set thread context of 2648 2280 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2280 set thread context of 2648	2280	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe
Token: 33	2648	chargeable.exe
Token: SeIncBasePriorityPrivilege	2648	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

B68C1DC7F15C7A2C348BA64D3B79830A.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2868 wrote to memory of 2280	2868	B68C1DC7F15C7A2C348BA64D3B79830A.exe	chargeable.exe
PID 2868 wrote to memory of 2280	2868	B68C1DC7F15C7A2C348BA64D3B79830A.exe	chargeable.exe
PID 2868 wrote to memory of 2280	2868	B68C1DC7F15C7A2C348BA64D3B79830A.exe	chargeable.exe
PID 2868 wrote to memory of 2280	2868	B68C1DC7F15C7A2C348BA64D3B79830A.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2280 wrote to memory of 2648	2280	chargeable.exe	chargeable.exe
PID 2648 wrote to memory of 2604	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2604	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2604	2648	chargeable.exe	netsh.exe
PID 2648 wrote to memory of 2604	2648	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\B68C1DC7F15C7A2C348BA64D3B79830A.exe
"C:\Users\Admin\AppData\Local\Temp\B68C1DC7F15C7A2C348BA64D3B79830A.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
0ca223fcbf7f665f02872d464aba62fc

SHA1
1f6d9a62bb25966f8de6ccf1cad641f7d42adc7e

SHA256
39009dc755c29d179bab56eaafd5c1a8a63579a3d79f87e4133ab888f88f232b

SHA512
3844dd84e640c65e28106e20ddba0d5daf088293027febac982dcd2694f46f7e060c29da06672913189a32f57a1a45c5a6919a960c8ba5f0ad5dd0961788d968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a17fc6f155fdeed7c68cf9db6a3f8648

SHA1
a534b9d8400684dec420c980b6c8511b3fb91092

SHA256
49d49acd4e673414a55b4ac7711f9b5634be9ae89a62ea8807fc0c1caaca5aae

SHA512
fa40cdf444116a3ff821adab70ba63b5ea87a70b8add06d97475f2b5049db354728359b5cb95fc226ec13883a5b42c744b60bb98bcc706db72502d5e18b77c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c69a27667a69699a23e439c0f9acc268

SHA1
c531548b8c1b7607090f2aed7df9224bcc1076c7

SHA256
9dd70ada59a40ba8927c1fbc2b5c43f5f858172e9b176d2fde9d9bff0fe59a10

SHA512
f52a8d7557882a91e57735d518b6f6c064d522d55f05edcd5df4f6cac86565406a2d3e8c2bf62614aa87f5781f653aa84c6975f09918bfeefe983d773d03342b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60258f4aa922d1728b2012af47db1e80

SHA1
203f126dc217f8ffa38038812f151adef065950b

SHA256
3a13d0e432284c7ec63e752fccf581f3369eab1630c37c23d90d5ceb86dbc61b

SHA512
15bf649a31775080e881fb3bd3123311bdfc45667a3abdebf934ffc157e4c7c453dda36cde1994779a6cc15e17b3578407a03fceeee03433c0741e9e2dca2ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
4542fad3abdaccbe1e79679841332edf

SHA1
cd6d5b26677f23116d1fd0faf163ff6b93940f25

SHA256
3fb166cb9f978b25193fba979bbd8911a89af7b2cde2a8b827fa80e126d9a817

SHA512
239fc1e08eee6a1396e31d5b54a308ad9d0052cfa617bf7320d6d0f67811a87711a3927b9abd355714c71dcc155a77a8e3edf58440aa604941a647b47bdee7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AF2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B14.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E1B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
115KB

MD5
45d7b6990f466fe00a61753e772312ba

SHA1
dff7f71c861587d830ca099e65e523c7165d4a8a

SHA256
f162266e28c3b57af61d6d030cdbf2257513aeaa5314315c2f12b136be9eff10

SHA512
da9ad3a8d5626def625396617fd070ad662c20b6bb82974c6daa72379a9b780add3f41b51490b953fe8f3a1198bedd998e5f1564754affbc299a20a234ea8d75

Download Submit
memory/2648-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-369-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2868-0-0x00000000746F1000-0x00000000746F2000-memory.dmp

Filesize
4KB

Download
memory/2868-206-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2868-2-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2868-1-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download