njrat | 8979aebe1dc869fc5b8ac1b53ab72350686676866c9228c07e2b964382bfe733

Analysis

max time kernel
146s
max time network
137s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_2d39049483410c1ca95d39796f5e5f80.exe
Size

115KB
MD5

2d39049483410c1ca95d39796f5e5f80
SHA1

bb1823bf3aec535aba9e09d13b75839097beaf86
SHA256

8979aebe1dc869fc5b8ac1b53ab72350686676866c9228c07e2b964382bfe733
SHA512

b2b07fcb9110352389c4e0938582eb1461109ed5c421f144cf7696e1dbc8ce1c386dbbccd75745c199c2679418ac7f8eb6fe3efd09b877093b22cb6af4283334
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIAP:P5eznsjsguGDFqGZ2rDIk

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2708	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	chargeable.exe
2772	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
1844	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe
1844	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\virussign.com_2d39049483410c1ca95d39796f5e5f80.exe"	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2772	2200	chargeable.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe
Token: 33	2772	chargeable.exe
Token: SeIncBasePriorityPrivilege	2772	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2200	1844	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe	28
PID 1844 wrote to memory of 2200	1844	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe	28
PID 1844 wrote to memory of 2200	1844	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe	28
PID 1844 wrote to memory of 2200	1844	virussign.com_2d39049483410c1ca95d39796f5e5f80.exe	28
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2200 wrote to memory of 2772	2200	chargeable.exe	29
PID 2772 wrote to memory of 2708	2772	chargeable.exe	30
PID 2772 wrote to memory of 2708	2772	chargeable.exe	30
PID 2772 wrote to memory of 2708	2772	chargeable.exe	30
PID 2772 wrote to memory of 2708	2772	chargeable.exe	30

C:\Users\Admin\AppData\Local\Temp\virussign.com_2d39049483410c1ca95d39796f5e5f80.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_2d39049483410c1ca95d39796f5e5f80.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
0376ba21bc7c1d09e61b206c11bbc92c

SHA1
443fee1cb47f3497f1e8042a94c5da8655aa7cd7

SHA256
1e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab

SHA512
f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
75e1cf127bfcc93432ffae26f593adbf

SHA1
f36a21f3329f70f748e3034491112896ff62d2a0

SHA256
5c1796372166aad7a0f14f7bf87ef8d0da345d79ac3d11324d2b70420520786b

SHA512
3b835e9b9ea63cb438f999de3912e0593b46644a418ce7d12015283eab962534ccc3b73fc68d7516fc0a0b10c17788c6ac56ceec9dc7981dce12f24c1fc2f116

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87d40df98c0116e4a514316282f71cdc

SHA1
0dabb33f5f5de80a8160c2d56c73050ae740cfe4

SHA256
afc0a7bb4a1d60570bd2dd037466c898c10ce3d815ac38fc3b2517a000de65c6

SHA512
c3f0694fdbe49507f69672fe0922f4b2d70eb32d9e97af67eed900e3b3359cfc8a67a76084af042d0f0969b634c03493d1d4367bd4114ad0da25d9f4ab2bba3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b05ede2cb9000021a8f4846fe9599f59

SHA1
9064a20db1cbb00fc6e3081adb6fcfe43542ca99

SHA256
6f386cbfa72a6b625748ca365af28e2411e32787b9db231997b9cba969c2abc9

SHA512
7e8e80cf6c9086126b3126e215a739b2d5f0b7315f1e638beac3d3a2c8e77b56d19b86b1679bb46c3a17f9e52f8fe058f9ede35481693b13f7609b0a065bc1a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
336270a222cc71d8e82d26a574fa4712

SHA1
9b8ba1755619d5dfef2f4a8d812ea13382a7bd1b

SHA256
a49998b91b9e7d4e8f5289cad1061aa229ddfd4a6503ecbdd76bc31dd381af6b

SHA512
c27d84926d262f77f4377c326d97c9198c51df6012004026c108d1f788ddc749aea55f99f5fba99e37c251863bbd662e5ca4e90282cce89cb5cf6c6b1146444c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
16a4ef4e76c958899224da99545b6350

SHA1
962c8f76c90102c5bb84a76f67c946857d2ae3cd

SHA256
2e3552a57108426c3afd0ff91fe94ae745198a403759693283243f3f593661c2

SHA512
bb75a92fe5a671202322c31aef4ecddbe66c73fb18a384a106d7b05d805ebe451a9deaf597997fdb21ef13a5f7538a6d2637958b9bb53ad1d76d2cf67843fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE07.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar114F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE19.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
115KB

MD5
d9d0118d5ebbc254ce13d3ec460337db

SHA1
59e1ce0a8d53edc863415da1d7055d84e9280d12

SHA256
321af56cc47ee2d34f76006edf4016daf7028fd6fa121f573c87417a2e3167ea

SHA512
a101610a80837a20002c5fa023e11054d1cfea550e697dc107897cde1d5c12b1ede431570ba03d0c20141ee66bdd9cdafd540a56d86d326c77d9899fc6cac358

Download Submit
memory/1844-200-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1844-0-0x0000000074971000-0x0000000074972000-memory.dmp

Filesize
4KB

Download
memory/1844-2-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1844-1-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2772-369-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads