njrat | f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe
Size

120KB
MD5

d986b47402659be6080d4ed28b9f0875
SHA1

db348146d329c59b7fe35a87d228db2b9e22b906
SHA256

f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2
SHA512

14e5258df799fd5c9f428b692def624063484933e788f2e05469bd281e5d2330928cd9a1f595f260dcd99b3713f49d371ebf09b0ee4282bc08edaf05b085fb3b
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVgd:P5eznsjsguGDFqGZ2rDLm

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2904	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
1692	chargeable.exe
316	chargeable.exe
2248	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
1632	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe
1632	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe"	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 316	1692	chargeable.exe	32
PID 1692 set thread context of 2248	1692	chargeable.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe
Token: 33	316	chargeable.exe
Token: SeIncBasePriorityPrivilege	316	chargeable.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1692	1632	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe	30
PID 1632 wrote to memory of 1692	1632	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe	30
PID 1632 wrote to memory of 1692	1632	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe	30
PID 1632 wrote to memory of 1692	1632	f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe	30
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 316	1692	chargeable.exe	32
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 1692 wrote to memory of 2248	1692	chargeable.exe	31
PID 316 wrote to memory of 2904	316	chargeable.exe	34
PID 316 wrote to memory of 2904	316	chargeable.exe	34
PID 316 wrote to memory of 2904	316	chargeable.exe	34
PID 316 wrote to memory of 2904	316	chargeable.exe	34

C:\Users\Admin\AppData\Local\Temp\f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe
"C:\Users\Admin\AppData\Local\Temp\f3e72ad4740bcef1746ca93fdb0ee8d70f7c7f4aef0017aebed18173d6fcffe2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:2248
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
fa84e4bcc92aa5db735ab50711040cde

SHA1
084f1cb4c47fdd3be1c833f58359ec8e16f61eb4

SHA256
6d7205e794fde4219a62d9692ecddf612663a5cf20399e79be87b851fca4ca33

SHA512
261a327ed1dffd4166e215d17bfd867df5b77017ba72c879fb2675cfb8eef48b374f6de41da0e51ba7adb9c0165bb2c831840603e873f6429963afd0cb93007f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
3e3aed1c0ba46c98a8ef6b3bec083998

SHA1
8df2ba67925f2c9580ead34fc567acd35c55b416

SHA256
3fab079f84b987b1a1e305228bd9d2c7dc9a4033b62d3715073c009391fc949f

SHA512
f0afb50c3ca2843e0dde736e5ce6d327ad2b70ae3e04c46c658878208dbd242059efc414f8eff22e9e6034a4a4948b34bdd612c5156c3d9a7fcbd38238066b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
245ef21018084976996abf3405835b78

SHA1
693ea2f7a1ba26d130f69427aaebcbc026cb6352

SHA256
c5eea923eae19603b82de828eee968e258c639ce2c8cd900f5e0b624ff308cda

SHA512
d62af1166c4e3da110372da1d8e05d926c6923f8ee6e17c352c224c816d05602a5ce5c5f3fe56beb7820ae7e9dff11d1162fd671c779e3f8d65a9c962b6c0cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5736ab4485ec2f810004879e34f1ba33

SHA1
da7d42980270fe3232c1ece99f9af7651c7ad1cb

SHA256
1a58d046cd8177edfc50b64666f6d005785a98d8b4bf366b089afee59e6b6e0e

SHA512
9b70d669950617bd2334b9eac58798452bd82799d07a52ac49bed3eac560d678d46fbfbafb9bdbf10f9bfca8f52c872fb07314cf28cdff3fbe87ba1fbf841756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa271b6b4384ebd98e4d849086149fab

SHA1
792a131ccc7fc1726fdeb53337a14ec8c765a90c

SHA256
f832b193ba751e8401cc710a3921329bb56e91c3da5629a94b8cb4efefcaff26

SHA512
11850cdb0b72c9f1ee2b9adac6f9c5f822008d58d534a823b2b4d7ca8e0c3a08152025ccb8fa07b1429770d421ea7a272afc0245787f9d88603f992662604199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e46c4c39ae4188ceb43ba75806ae31b

SHA1
efc226939a4d6d196e5820e7f16368088d1a9bb9

SHA256
23425dc29ddfb67838ce5da32debb8baf4aa2a38e48233e394b6374a89a0133f

SHA512
af9a59d0eb1e61170e3729cf599034c0afbaadc3f778ec16516aabcbfafcc4e0ff4ef5215434492ea26b26a76b41be98c0c5f96baaf63761a8ff290bb6b24e53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
7abc3e8344746f31fa92a2622d29a043

SHA1
49b78218d4f82f0ba6ed9fd8158c142df803f95f

SHA256
f94c2a0624d55b6e6f5e4739c96e05db864bef0912fc45962f695f7f11f51988

SHA512
421c0437b53310c136b0b4cf5e66dbcdc205c7c366643ac5510955dee884bd6e8fa7ca24e0ca5227f8a14c3e5eafd5776e92aa351d8f1142175790459a0578c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab824C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar826E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
120KB

MD5
cccf45956d6682f5b0bfc1f2fc71f613

SHA1
a3154fd07e431fd7c360871fc32b90d683e50745

SHA256
18fa33d71fc0a3ea8a66ac6a04d8f4415a79953e9d336a16d3e82a239c497082

SHA512
ceec987ff4bbcfb850a00cdf3b45bb771f157643734e683c8a5ac18aeef65ee49d35eae89709f5ea76df5c548efcfdc5ae5235f01fcfca1dbd396cd81f771687

Download Submit
memory/316-347-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/316-352-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/316-351-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1632-179-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1632-0-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/1632-8-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1632-169-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads