Malware Analysis Report

2024-10-23 20:44

Sample ID 240916-wn234ssajf
Target Trojan.MSIL.Formbook.EE.MTB-1ebe4204410e273fe3c1512725ae8d5f7b9fd13043368eb34f64b60122def206N
SHA256 1ebe4204410e273fe3c1512725ae8d5f7b9fd13043368eb34f64b60122def206
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ebe4204410e273fe3c1512725ae8d5f7b9fd13043368eb34f64b60122def206

Threat Level: Known bad

The file Trojan.MSIL.Formbook.EE.MTB-1ebe4204410e273fe3c1512725ae8d5f7b9fd13043368eb34f64b60122def206N was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 18:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 18:04

Reported

2024-09-16 18:07

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.MSIL.Formbook.EE.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2360 set thread context of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2688 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2688 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2688 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2360 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2776 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2776 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2776 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2776 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp

Files

memory/2688-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

memory/2688-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1BCC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1BEF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9fe4f0d62b2ec50a410fdf354ca1ea7
SHA1 fb2ed798762829b45414693834aa15a1c7fb9c7a
SHA256 43d70abf4cee63f95ed28528f146a1c77d4823cc3f71fb50434940fdcc6e965e
SHA512 f22f1131e03b691a6ac9375872a08e0f74f8d233b2f4179c6bcfa3cdd24c568d60fc5df5ecf51dfc4cc4953473691b0d087ecfa1b332c3583e56fd7c90dcc702

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 923701ea7a1b85f3fb48f5ed2ac561d6
SHA1 cb7d7f387ddb6bd5a9e79e002837101f16bc8c74
SHA256 b168da39e966722fc22060b05e57d451b6223d81825f0ca9708006d53e889434
SHA512 98ab6224354f9fbe58ae9cb4f921ce363110aabea71d5423c168ed9f8e44ce6ccd5675478d918f0bcd21b43f8d1febb9bb1c36960f4a93dfe6039ca2fea4b0c4

memory/2688-176-0x0000000074C00000-0x00000000751AB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 042c90ce1ba702201f92363c26f46cce
SHA1 fbbf1f9563f1bc1e9d58dfcd3e593f013a9a926c
SHA256 8d3bf0d11d69ad6890ca8c1d26dd6ee2c91a114072da7f8318fc686ff8e0ccc5
SHA512 ec0c2dc8bf84496cd06f2fb9b202e8a7a7d363f99fa03058e3dbeb3983ec79c8389f5e4782c9833c8cedf2dd4c2059665d8412cf5a948b73c788201f1faca512

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7d5f8985ceee34020b1e43ff164f26d
SHA1 1c775443477f91181daf13e32ce77543b2b21058
SHA256 a9b9761b37fde8ef9ae3dfcbbc1d35e1c44edfd86e341008a5f5a83f21d0fea1
SHA512 099f835f33f0c02cefa48664e9e43ac6aa467e66b645a1e622ff58f3a8ef9aa5d394d67ab7ef9584f17595700ca853d15060c48daa7f55f04056980c4b3e1a90

memory/2776-343-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-342-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2776-340-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 18:04

Reported

2024-09-16 18:06

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.MSIL.Formbook.EE.exe" C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2792 set thread context of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2792 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2152 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2152 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Formbook.EE.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp

Files

memory/4068-0-0x0000000074892000-0x0000000074893000-memory.dmp

memory/4068-1-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4068-2-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4068-6-0x0000000074892000-0x0000000074893000-memory.dmp

memory/4068-7-0x0000000074890000-0x0000000074E41000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 19afac4a740e64bc22feac05a27acd33
SHA1 3b3bba8a92364f3a1a903015726583c5bb7a02e9
SHA256 8f25af1c1ad58d5ce5de3c210b359df7e0fa23aec0453505172672055d72be49
SHA512 04f27d8ca3e428f64fb3f276738110911ce48d7327e0fa7f55b4af6a1315f52df50ff76603f7eb954ed4d771e8d3884eb1d39354ed0f101ba36f2bd49c316168

memory/4068-20-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2792-21-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4068-19-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2792-22-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2792-23-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2152-24-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/2152-29-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2792-28-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2152-30-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2152-31-0x0000000074890000-0x0000000074E41000-memory.dmp