njrat | 3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe
Size

116KB
MD5

b6d002079290cdd6f4c05eea7db27ad0
SHA1

fbc42b4d3a1f84deb54fd864e28e1215e6e78ced
SHA256

3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636
SHA512

c63d6761785021c3e9be5b7807071876c31e183f5cc670f842c9c40bac13d56500730738d034cec4af27e31159535e61cd01669031658036caa8f7c9b304a9f8
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZD:P5eznsjsguGDFqGZ2rDLZD

Score

10^/10

njrat neuf evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2820	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
1888	chargeable.exe
2480	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe
2232	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe"	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 2480	1888	chargeable.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe
Token: 33	2480	chargeable.exe
Token: SeIncBasePriorityPrivilege	2480	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1888	2232	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe	28
PID 2232 wrote to memory of 1888	2232	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe	28
PID 2232 wrote to memory of 1888	2232	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe	28
PID 2232 wrote to memory of 1888	2232	3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe	28
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 1888 wrote to memory of 2480	1888	chargeable.exe	29
PID 2480 wrote to memory of 2820	2480	chargeable.exe	30
PID 2480 wrote to memory of 2820	2480	chargeable.exe	30
PID 2480 wrote to memory of 2820	2480	chargeable.exe	30
PID 2480 wrote to memory of 2820	2480	chargeable.exe	30

C:\Users\Admin\AppData\Local\Temp\3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe
"C:\Users\Admin\AppData\Local\Temp\3b85bff29b551c67997a4e763bf2da6463538fc6697f6e162daf1a6de9f9d636.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
cba2426f2aafe31899569ace05e89796

SHA1
3bfb16faefd762b18f033cb2de6ceb77db9d2390

SHA256
a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a

SHA512
395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
fc1193c6345ac35188aa3de0f824ceb7

SHA1
8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f

SHA256
bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200

SHA512
480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
3407ccfeb98eccc9d2567526fbccb867

SHA1
17d3f8dfa6f32dfb512fb5dc00bb0600990418a7

SHA256
a9558ac91592352a7b8d96cd4af08de9104336e9a1445802733b04a869685f0e

SHA512
064285008e6fd8cd7654bbb51cdb0c2161209e0935381505bacb66426f2d4292e1c0cab6770fea78341b5ea8ec8942a598e59152a9e6500875ff39aebbd696c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c993a75d59a33df3fa352b895c33e144

SHA1
f46a096c297a87e968b575aba4893fd54408db58

SHA256
42010ac657a0b12a5be82a8ee6b7a2bdf97e37e6e123284036486b4e5bb7c8f8

SHA512
472b4903bd40f6a97b02b86f41c8a40566ceb5e370b427b3e0c5335c74588c7602fe37c04ad9cf1d7a0e1bed89d5fcdb5d8ca28cb19096dd1353bb4b2481cc73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25b32f9674ab10440ff2eace6cefd2f2

SHA1
4a7c79d2eeb571e1d199ba228a078f6d29b6605c

SHA256
dc002625906a61ef99d1c46e3bddab3191a5c29f7e896dbda77084861c56aae1

SHA512
c753881fd955b4818dd802376a3aa34c7dba9f094cf6d72f1ab176427f36f8056a623445984f93cf4c3c84826912be8f6293cfd8e575fe1c5a7d704733390133

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d709a344a76d3d6223d3f1652ca7418

SHA1
4b5812cfb09e1a93cc67a1b419ab89e869c36cd3

SHA256
6f73b83ab7acb2db468ff4cc68d00e902e2bc35aacea667b3ef04ee307af40b1

SHA512
fcca68e1dddc281d81cd22be09da6fdb5f11e5339f3ab50676c35dffd886a841369baac70f87a427e042c3b3d2ff5d4df2d8b069b286636d606e8280a698ae61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
556f137f1917de9d19a16c8a523f50cb

SHA1
0f952ed69fc170c3258b3f2c3dd658865b9b2d08

SHA256
c66b1af8ce86f9730552074ebac869a56f9068989049f3d744737f8fcfa274fd

SHA512
86f92fbe70d58638f602b70e896cd6ec55f9e4255df79132ea7f71ddabcabe519714c4791c5b31f6a70a73389604021f9b1a69e6a0a059d6b9f9295342fbdbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar10E1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
116KB

MD5
f7ab7395c5af110836e063bac3cae8f8

SHA1
e271bdec333c7d42c8eea84a4b349b96e726403f

SHA256
88ffba84d824211324c4d9b75ee83f05d806f63b2bcfaefd64c292b02b94b673

SHA512
7e5eb15625964cbfe34642fcb28c4c7b54f4c073014d4f68354ede9375fa9b1acf5335964df6f71c26ba60dfd136fbc60881cb5f9598a697cbf7c37c1f68d2f1

Download Submit
memory/2232-205-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/2480-365-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2480-368-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2480-367-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads