Analysis Overview
SHA256
2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6
Threat Level: Known bad
The file 2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 19:47
Reported
2024-08-31 19:49
Platform
win7-20240704-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe" | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2164 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe
"C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
Files
memory/2084-2-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2084-1-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2084-0-0x0000000074491000-0x0000000074492000-memory.dmp
memory/2084-6-0x0000000074490000-0x0000000074A3B000-memory.dmp
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | faf39cc7b354e54a1b370c95ab4b9cc2 |
| SHA1 | a842922b55faa8c2378592f5c8151a75063a725d |
| SHA256 | 2388cbd8ea504fb61817e4fc0f61ade9417762f2fd30c0b10182df30f8126f0c |
| SHA512 | c4687e39bb4dc73e67db3e5ce43b8b2e3f28a72d1dab61011b3bcaf0761aeaf147afac8a38d020d669bac218c62205847fa99c53fd6d3083c54870b9fc4571ad |
memory/2084-16-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2164-17-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2084-18-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2164-25-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2164-26-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2744-24-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2744-23-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2744-19-0x0000000000400000-0x000000000040C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 19:47
Reported
2024-08-31 19:49
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe" | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2124 set thread context of 1144 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe
"C:\Users\Admin\AppData\Local\Temp\2d68b9d2faf8b3f90fee4e07ed869e78f73c026b71e0ebbee6ba0b059f6e9cb6.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
Files
memory/3204-0-0x0000000074CD2000-0x0000000074CD3000-memory.dmp
memory/3204-1-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3204-2-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3204-6-0x0000000074CD2000-0x0000000074CD3000-memory.dmp
memory/3204-7-0x0000000074CD0000-0x0000000075281000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 3143612c2477af9332e94aefaf963dac |
| SHA1 | d346ef790cf83e7cf7635ab196abd57f077adc2d |
| SHA256 | fcf089f956060b76c425216569fd8897b43c6e8ed902d3b14b239dcbe76b418a |
| SHA512 | 97023f248f856ee7b93e2556395dbb1e880702c8ea70c0bd8248dbd30901e23bd886c5619af08e23dad20f8bb7c1c5ccad7bb51fa5ecbfb050c90b46a73d9e18 |
memory/3204-19-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/3204-20-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/2124-21-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/2124-22-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1144-23-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/1144-27-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/2124-28-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1144-29-0x0000000074CD0000-0x0000000075281000-memory.dmp
memory/1144-30-0x0000000074CD0000-0x0000000075281000-memory.dmp