Analysis Overview
SHA256
cfca7dd90f42a2c647d366e15ee7c0eac06bd6c115145cd2948b63c50630fe3c
Threat Level: Known bad
The file 0a6db9793f1f6d7221219891c5dc3a10.bin was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 02:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 02:13
Reported
2024-08-06 02:16
Platform
win7-20240708-en
Max time kernel
146s
Max time network
146s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a6db9793f1f6d7221219891c5dc3a10.exe" | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1284 set thread context of 2876 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe
"C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 92.123.143.234:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
Files
memory/2392-0-0x00000000742D1000-0x00000000742D2000-memory.dmp
memory/2392-1-0x00000000742D0000-0x000000007487B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB740.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB762.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 302a682e0bd822ac90171db2504056c7 |
| SHA1 | 83d2dd78dd2e1b2608852aff37d9287aa4ecd125 |
| SHA256 | 45ea34a4ee23a779016e94721fcd5996e05a405351f2848b8b924d0dfef0ce5c |
| SHA512 | d2c81dcbbfca02b9cab286d5d5ba7ffd11bbd29f441ad2b5cb7e62b3ce2d21f727da3274a1c02fe2d6d6761d32a8c57d8549f2e587bfcfc7b0ff302abe69c671 |
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 6785dc8bc52796d0e21c65b269777ac3 |
| SHA1 | c6533cb4e975a34dbcd5559f0ba5d88a9028f5cf |
| SHA256 | d2500aa691213d77e0edbc41d4c9cef53120cf6a52788058563abd826b15aebf |
| SHA512 | 636aae1e299f60500f4284d120b2f45bd6c71defaadc5f1db8ace32296c8f0119c5ac286a61561d90754b258b575c2e5a9fe71a9e6f66e903a494ceb5f52ff8f |
memory/2392-175-0x00000000742D0000-0x000000007487B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec116bba9f1725d9b39fb9227e7c6382 |
| SHA1 | 81f4f5b97a4eb9b1a9ff925f21439cb8a1a94420 |
| SHA256 | 0646ecaa59820a1b226018c9b36e3a56a01566191a063d6d479ff11a5ac82a6c |
| SHA512 | 5d5a064145b11abe94aff9a7b2e3f98c2fd9f24c7974d6eb1dd1fff2d941d87cc6080e86629762cc03722edc07cc7d8892f615925f7cf02da938c5d9c18039c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
| MD5 | e7122c733f9e37bba0ca4c985ce11d6d |
| SHA1 | d661aa5b31ff7ef2df9bc4095279058c36499af2 |
| SHA256 | acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a |
| SHA512 | 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
| MD5 | 547adc1efed39d1e0d60d9b71ce8e3b9 |
| SHA1 | 9c29d492e2ffa284c4d353081b42d19369b077e7 |
| SHA256 | fee6d4ea67672d0068cb4bfbb6e92d133f769cb8a8c09035a2d6b3e2c4132bf0 |
| SHA512 | e1d1445b99a71a57792ebf3e5aa61618c2d7d6f12a0cfac4378cd51e8cac75e16a3cc43b8384508b1548d9f25b40675f04a64e992c7cf5c56e1c03d49e61c987 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 362c78463086a45ac92c6fa5cb4ed59d |
| SHA1 | ea49d23c0cbd3b387971ffd829e80ca73bb55493 |
| SHA256 | 257b11c2ae7ab1958ee587dfe96a6aeaa465efc3010d4d8f9b8c06d8f495d9da |
| SHA512 | fa7c7e25be1ccb8013c18dcffedf102056bd880500e1e8de6d954ac8d64c449edd123ce5434f6a28eec5dfb442ada0b12f0751b64938e4c22c691bbcc13b4f12 |
memory/2876-341-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2876-344-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2876-343-0x0000000000400000-0x000000000040C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 02:13
Reported
2024-08-06 02:16
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
145s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a6db9793f1f6d7221219891c5dc3a10.exe" | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2364 set thread context of 3528 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe
"C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
| DE | 188.46.206.74:10000 | doddyfire.linkpc.net | tcp |
Files
memory/2876-0-0x0000000075392000-0x0000000075393000-memory.dmp
memory/2876-1-0x0000000075390000-0x0000000075941000-memory.dmp
memory/2876-2-0x0000000075390000-0x0000000075941000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 60ccfe1f35c69810cf10ff4c56b7553b |
| SHA1 | 3b78488761b6cdb3d11a6cec2001f41d71ad8d90 |
| SHA256 | 24624d05e07b2c347a33a6a2b75f8cb10961aceb3ad16a3fc0bfa43a41c84027 |
| SHA512 | 6dd4218223dfed96fbe24cc9add0e31d07dcf42ca038bc37f480da239f0901ca93d957064090da42fae38083fe0b49c8f62cc182ac741b7c809b0b22f3e1c94b |
memory/2364-18-0x0000000075390000-0x0000000075941000-memory.dmp
memory/2876-17-0x0000000075390000-0x0000000075941000-memory.dmp
memory/2364-19-0x0000000075390000-0x0000000075941000-memory.dmp
memory/3528-20-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2364-24-0x0000000075390000-0x0000000075941000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
| MD5 | af005173cce1850423f0f999693487cb |
| SHA1 | 950bf700178ab02d75b959cf92f1d493acba31ef |
| SHA256 | 38615066450a66b2950aa946bf8eea01f16e1f0dfc7c0748609e195c317c2a7a |
| SHA512 | feb37c884eba52c5e74a3a9b1c604d42e6b25b98a1389ba9677361f756897d169824b9d7c214e150f6a1f07e7e63440baa07e6119aa08b919db0533a9fdb22bc |
memory/3528-25-0x0000000075390000-0x0000000075941000-memory.dmp
memory/3528-26-0x0000000075390000-0x0000000075941000-memory.dmp
memory/3528-27-0x0000000075390000-0x0000000075941000-memory.dmp
memory/3528-28-0x0000000075390000-0x0000000075941000-memory.dmp