Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe"	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 920 set thread context of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2980 wrote to memory of 920	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2980 wrote to memory of 920	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2980 wrote to memory of 920	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2980 wrote to memory of 920	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 920 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 956 wrote to memory of 2240	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 956 wrote to memory of 2240	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 956 wrote to memory of 2240	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 956 wrote to memory of 2240	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe

"C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	www.microsoft.com	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp

Files

memory/2980-0-0x0000000074C71000-0x0000000074C72000-memory.dmp

memory/2980-1-0x0000000074C70000-0x000000007521B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab26A5.tmp

MD5	29f65ba8e88c063813cc50a4ea544e93
SHA1	05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256	1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512	e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar26A8.tmp

MD5	435a9ac180383f9fa094131b173a2f7b
SHA1	76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256	67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512	1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	bd6120a316526c10f774c82464fec1e8
SHA1	0440fdb2ceff6ae2085a74c683c35808eb5efd36
SHA256	95080a336e0e41887a3af3eecc9db1499527a075a2e7c3e95f326d65dd1f608a
SHA512	f1d754300e088ef807fdb1f9ed8dc5c78a05aa3e4e043e7843cdcab21f6df8184df7ea4d238c2f6e06e9160f0ce13b98817876249fa92ef284b02abe5bc1a6c3

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5	435c4790818ba65af127f616ddce2f22
SHA1	c65d641aa1d6847eab77357255f03421cfaba738
SHA256	248cf551b71652f712b0713454a1c108e91745ccbedc850aef55c59670ff8a84
SHA512	69b776ebac297fa3bf3b1e0ee5c67aadd2217a775aabad58ea246403c15e1a223d78e7170b1eed32e56abe3f104dbabe080cf9b5c616ff51f77acfe278b33db8

memory/2980-117-0x0000000074C70000-0x000000007521B000-memory.dmp

memory/956-196-0x0000000000400000-0x000000000040C000-memory.dmp

memory/956-199-0x0000000000400000-0x000000000040C000-memory.dmp

memory/956-198-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 04:19

Reported

2024-06-17 04:22

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\netsh.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe"	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 4244 set thread context of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1520 wrote to memory of 4244	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1520 wrote to memory of 4244	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1520 wrote to memory of 4244	N/A	C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4244 wrote to memory of 3060	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 1408	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 3060 wrote to memory of 1408	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 3060 wrote to memory of 1408	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe

"C:\Users\Admin\AppData\Local\Temp\f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	74.32.126.40.in-addr.arpa	udp
BE	88.221.83.187:443	www.bing.com	tcp
US	8.8.8.8:53	216.131.50.23.in-addr.arpa	udp
US	8.8.8.8:53	187.83.221.88.in-addr.arpa	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
MA	105.156.53.97:10000	doddyfire.linkpc.net	tcp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
MA	105.156.53.97:10000	doddyfire.linkpc.net	tcp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
MA	105.156.53.97:10000	doddyfire.linkpc.net	tcp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
MA	105.156.53.97:10000	doddyfire.linkpc.net	tcp
MA	105.156.53.97:10000	doddyfire.linkpc.net	tcp
MA	105.156.53.97:10000	doddyfire.linkpc.net	tcp
US	8.8.8.8:53		udp

Files

memory/1520-0-0x0000000074602000-0x0000000074603000-memory.dmp

memory/1520-1-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/1520-2-0x0000000074600000-0x0000000074BB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5	1e39af47eb192f502fec47263e12cb0d
SHA1	158b57ff3f4a72a6f567b428172bc275ce3d5cf3
SHA256	f9945ee6b67d92e9a7bca78a52f47020a374e1f11f57dda304307369328baad5
SHA512	2f7dbe5ef21efd93b271470cbb70a77af9e33c2a7a21454e31959aa22af3dc1c74be7d049c905cf5d9086fee24928c6c62fb61a3d9019fcc3164a8009832ea0f

memory/1520-17-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/4244-19-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/4244-18-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/3060-20-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4244-24-0x0000000074600000-0x0000000074BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5	0a9b4592cd49c3c21f6767c2dabda92f
SHA1	f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256	c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512	6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/3060-25-0x0000000074600000-0x0000000074BB1000-memory.dmp

memory/3060-26-0x0000000074600000-0x0000000074BB1000-memory.dmp

Sample ID	240617-exyzdatfnb
Target	f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec
SHA256	f90529ca77e6ac7ce39707a2cd5cee0ebe071c05ca60e0f23e6fd4788c6f91ec
Tags	njrat neuf evasion persistence trojan

Malware Analysis Report

2024-08-06 19:46

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files