njrat | 81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Size

771KB
MD5

beaa68e5cc534b255a5a7f50580fc92a
SHA1

1f0278d90302bd11a53366bdb78fa353b4b1ea58
SHA256

81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2
SHA512

ee4a23a968a461032212dea9d3d7102a948034f9c6e733f83e26a9382cb372cb8d9484c2785b548111440ad86086107b615d209611bc6c4dd135bd87968d77a7
SSDEEP

12288:iMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Us:insJ39LyjbJkQFMhmC+6GD9T

Score

10^/10

njrat xred backdoor discovery macro persistence trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Njrat family
njrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000a000000016d27-98.dat
behavioral1/files/0x00070000000193d4-122.dat

Executes dropped EXE 3 IoCs

pid	Process
2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
2788	Synaptics.exe
2840	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
2788	Synaptics.exe
2788	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2728	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeDebugPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2840	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2532	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 2100 wrote to memory of 2532	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 2100 wrote to memory of 2532	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 2100 wrote to memory of 2532	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 2100 wrote to memory of 2788	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 2100 wrote to memory of 2788	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 2100 wrote to memory of 2788	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 2100 wrote to memory of 2788	2100	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 2788 wrote to memory of 2840	2788	Synaptics.exe	32
PID 2788 wrote to memory of 2840	2788	Synaptics.exe	32
PID 2788 wrote to memory of 2840	2788	Synaptics.exe	32
PID 2788 wrote to memory of 2840	2788	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
"C:\Users\Admin\AppData\Local\Temp\81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2840

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
771KB

MD5
beaa68e5cc534b255a5a7f50580fc92a

SHA1
1f0278d90302bd11a53366bdb78fa353b4b1ea58

SHA256
81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2

SHA512
ee4a23a968a461032212dea9d3d7102a948034f9c6e733f83e26a9382cb372cb8d9484c2785b548111440ad86086107b615d209611bc6c4dd135bd87968d77a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcXj4ljZ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcXj4ljZ.xlsm

Filesize
22KB

MD5
0ba3981bdf5f0385a2684ded1fddfd33

SHA1
440152ae481ca27df896e57874e935fd775cf87e

SHA256
c71d566ba67a9e94df399bd2068d9534ac07301eb362baa2293d47a8f71f7131

SHA512
da2f762849e031a1fac8d2d56e353dc0425d7f83ea85a8f055e2a068a56846963f1a0d5ebda1906e5eb9657b02c47bb26bdbed9688ba065fbd16de630abb526b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcXj4ljZ.xlsm

Filesize
22KB

MD5
fca7929330ae8d508a31dcf50172d63b

SHA1
08e1f734234424e27c3b7740a266ffb49ee33cf2

SHA256
b7f99351a623e401a7474cc0f5d78619de1d252fe92a48256a928a46a20a4432

SHA512
f6295931cbc2fa7474db3d4e9347de0d268e3508ccb6db4cd1307850bb02757527d654695a1ca6bd6bc9cf0b601a9f158b82329d9906805913bb132e9fdf5e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcXj4ljZ.xlsm

Filesize
21KB

MD5
d513cc1be295e546ea3ddba628a232f2

SHA1
01515d9b7482a209d75433964822fc419909b4af

SHA256
ffe6d74b922d700ec54f571d881dfac0b8d2aedaf9ee056bbbc5e371bcd2a0a1

SHA512
6507d95ca5ad60ba13477a6a0f76373a22e311dfb0c52b758e9871678fd7cc3842d372bbf2ef109f2677abbc862a42b20a03b8f3961cbdcc0b3ebb39ba117514

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcXj4ljZ.xlsm

Filesize
24KB

MD5
404eef454969a723005a424b5db7a093

SHA1
3ca036efe32141ca757585d09460278925c020e9

SHA256
0ffcd181c8d6259a9c1b2a752419d2095d017a107fd4b6d5b95304536f645a44

SHA512
d0aae8d82cfe8ac2768d8cecf2ff8d3cb4260a59c9179c0f813f66a8ad4c4134ee88f58a3ccd31c5a5e680a151a27f6ef227da83fef7b458783570bd0dd0d3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcXj4ljZ.xlsm

Filesize
23KB

MD5
e9e44b69c3ae77422c68df04b25c349e

SHA1
768702ed699518f1db70115d87429c59d70351f5

SHA256
df0affd0b842a518ed6989e3a385fd70722f73242563966a61f38906b232e512

SHA512
5216e459de28ca73cc3169b8179845578c02896d4d312b0135a765f8df72467835419bca3a762fee4d92af1cce92e9c8542c27ede3d9900f38bc0717f4b99000

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcXj4ljZ.xlsm

Filesize
25KB

MD5
4ec3d7c58dfde1ca0835faa17a23ab58

SHA1
978938464b0bb552c5fa766b5c5b4847ffda22af

SHA256
4d7f72fa807f13df0782fb68555d9c203f144b34d8c6d1e1255095e0d8543e1b

SHA512
e03e0c42561788ce200b4c9b4b1975dbaa6e580d8a6d6a5a1d7fb9f7f44b50adf50c3823b181c20222042c17591d004042a726626955ae62e69104a91c92cf74

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe

Filesize
26KB

MD5
ff9f2b483371eff47fabfaa87eb0bd50

SHA1
666ceb53dfcc726d5ba3d6cae1c522e039ad0d50

SHA256
352a47705d756d7c780b76f5f1e2383ef813ac0162d45aac3ce55c4004d06302

SHA512
5ca2248a389bcd017f68d31cf785b048cb739f1e352098dd5a89d6e0696e24343e6c4edea33c2074d739560c36a375a82109369ebe84515fefb64c4e68087f7c

Download Submit
memory/2100-27-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2100-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2532-26-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2728-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2728-137-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-138-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2788-139-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2788-171-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2840-38-0x0000000000040000-0x000000000004C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads