njrat | 158fee9987ceffc26395ea885fec4718e9545a8aba743d3e35535ea3acaf9a19

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe
Size

114KB
MD5

4bd65857cd398a4f6a73090b6b522890
SHA1

c992fe798c6f2af562de3d3ad68a39f8e885e319
SHA256

158fee9987ceffc26395ea885fec4718e9545a8aba743d3e35535ea3acaf9a19
SHA512

a0e5279d022879d355ca604dc67525fcb98b9d92c9927e130b37a6a4699de38899a256f2f16e92f76856134096a00d8e1f403a9abf06e0f64c30dc5e97e6454e
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDQ:P5eznsjsguGDFqGZ2rDQ

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2680 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

1964 chargeable.exe
2480 chargeable.exe
Loads dropped DLL 2 IoCs

Processes:

4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe

pid process

1636 4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe
1636 4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe

pid	process
2680	netsh.exe

pid	process
1964	chargeable.exe
2480	chargeable.exe

pid	process
1636	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe
1636	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe"	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 1964 set thread context of 2480 1964 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1964 set thread context of 2480	1964	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exechargeable.exechargeable.exe

description	pid	process	target process
PID 1636 wrote to memory of 1964	1636	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe	chargeable.exe
PID 1636 wrote to memory of 1964	1636	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe	chargeable.exe
PID 1636 wrote to memory of 1964	1636	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe	chargeable.exe
PID 1636 wrote to memory of 1964	1636	4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 1964 wrote to memory of 2480	1964	chargeable.exe	chargeable.exe
PID 2480 wrote to memory of 2680	2480	chargeable.exe	netsh.exe
PID 2480 wrote to memory of 2680	2480	chargeable.exe	netsh.exe
PID 2480 wrote to memory of 2680	2480	chargeable.exe	netsh.exe
PID 2480 wrote to memory of 2680	2480	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4bd65857cd398a4f6a73090b6b522890_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
f9ab715df08393ff44bde49d15fb958b

SHA1
120173b06ea10d4b4c8dbef740b433f68cbc7854

SHA256
31657d5f19916cccb9341e73b9ab9f6cb755d75e9eb5d353d2bb56acb8460bc7

SHA512
ff59d198f620a46df18244eb576826d18fd205fec019e0dd7be90520da662477b5ba8f99e57248df7ea61d6c7a15b48ead68195ef55b77ca690831aeac3e15cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
324a9965a98743878d93c782d16a2f7c

SHA1
f793d1a5815a8105cff9032f1a9c846e210ac530

SHA256
90e3270dc08a41fc7153011177fe10e970834b6b633db843e09b6e3fb0e31099

SHA512
33259f944fa900f0332e13b25c8e0bd8b0091254b1a2f20894e65aa776da99132981da3d835f80289143cb8d52ffa313ca5ae37f5aed0dce8763b7f12daa2270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97b912dab2ecdfd32c521f24d730135e

SHA1
811fcccc31000269eae59349e65f56065b5f18ee

SHA256
e058ea5b6777c1d5aab047baa479fb27fac9045c19a38f7903ca3f4b6bd359f1

SHA512
9998ea3f2edbf1f95dfd3105b4c97950468302069291eaa851630a9decf79f118f8e0fd2ae1ba0421399b88e908e0eaf80624e621cf126b2f3b982357daae4b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b80996f1d82b4a9e116a8971bf09d26c

SHA1
de7bf098f09fb607cd738b2b6b88ce4d53ba7b1e

SHA256
0d198e224c82a3bd0549b13b840edcae08eba45019f284ebdc8cc11ae9aee2e9

SHA512
b80855a55d8d6ecd61ad3c268b36fb80b4806ef6e5691355fb396c15109800e411a3d825b4b7ce612d7556c623a7f09d3cae476f90dace9d50c86ee9e60e5fba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
845d8590d6ddfcf53d0d3b2f21bd8aa8

SHA1
5dc548683cad0862f73db10e46fc9d4d003f7b81

SHA256
fc494991026527772281ae830845b059009dc962a0f16ad9fb1f77c4305c0769

SHA512
24bee7d9111840beddc6a40a095efa1e35bf35fd90b95a7541b6cd9387e01076c630e3b40adc8df53cdaec100fbc70fe59248a8574a436b80da305e5a6c65f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1067.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar106A.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1332.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
114KB

MD5
c36b332380320b1cb263c6849304bdd2

SHA1
1b25096886c8a5aa668caacfcd944edb84096efe

SHA256
f9561dec4dafcf84a876edc51766a3d2d3f9b18ce33cc92cb1533d23481da0f5

SHA512
564f38ed10ed57c761dc5cefa13ec07237613e92bd6dc6ffc3dfa78c658dbdfd845c9dcb44126729eb172856deae25fc340ec2ed9812ed10fd489a528748ac42

Download Submit
memory/1636-196-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-1-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

Filesize
4KB

Download
memory/2480-365-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2480-367-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2480-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download