njrat | 81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Size

771KB
MD5

beaa68e5cc534b255a5a7f50580fc92a
SHA1

1f0278d90302bd11a53366bdb78fa353b4b1ea58
SHA256

81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2
SHA512

ee4a23a968a461032212dea9d3d7102a948034f9c6e733f83e26a9382cb372cb8d9484c2785b548111440ad86086107b615d209611bc6c4dd135bd87968d77a7
SSDEEP

12288:iMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Us:insJ39LyjbJkQFMhmC+6GD9T

Score

10^/10

njrat xred backdoor discovery persistence trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Njrat family
njrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 3 IoCs

pid	Process
2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
2088	Synaptics.exe
2820	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
2088	Synaptics.exe
2088	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2756	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeDebugPrivilege	2820	._cache_Synaptics.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: SeIncBasePriorityPrivilege	2532	._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe
Token: 33	2820	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2820	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2532	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 1860 wrote to memory of 2532	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 1860 wrote to memory of 2532	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 1860 wrote to memory of 2532	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	30
PID 1860 wrote to memory of 2088	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 1860 wrote to memory of 2088	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 1860 wrote to memory of 2088	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 1860 wrote to memory of 2088	1860	81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe	31
PID 2088 wrote to memory of 2820	2088	Synaptics.exe	32
PID 2088 wrote to memory of 2820	2088	Synaptics.exe	32
PID 2088 wrote to memory of 2820	2088	Synaptics.exe	32
PID 2088 wrote to memory of 2820	2088	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
"C:\Users\Admin\AppData\Local\Temp\81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
771KB

MD5
beaa68e5cc534b255a5a7f50580fc92a

SHA1
1f0278d90302bd11a53366bdb78fa353b4b1ea58

SHA256
81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2

SHA512
ee4a23a968a461032212dea9d3d7102a948034f9c6e733f83e26a9382cb372cb8d9484c2785b548111440ad86086107b615d209611bc6c4dd135bd87968d77a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_81d37764ce48e1f76d1de50ee831094117ffc239e287e40806801dd0bba097d2.exe

Filesize
26KB

MD5
ff9f2b483371eff47fabfaa87eb0bd50

SHA1
666ceb53dfcc726d5ba3d6cae1c522e039ad0d50

SHA256
352a47705d756d7c780b76f5f1e2383ef813ac0162d45aac3ce55c4004d06302

SHA512
5ca2248a389bcd017f68d31cf785b048cb739f1e352098dd5a89d6e0696e24343e6c4edea33c2074d739560c36a375a82109369ebe84515fefb64c4e68087f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqXgY6mn.xlsm

Filesize
22KB

MD5
9a9b161d52b5bacd190a529cfb831a7b

SHA1
4e406c3a07ffc8e5978e02bbcdd9492d5b20182b

SHA256
acda13a8e200933932a286d4f7030dd45f54aec2972a4bfd8699f96c016f39f1

SHA512
a80d0078f7ca0e2596150e0c01a5da67ffb57a1e70c9b7b18f8a5f5ec213bbbdd260d0907593b8b2218ccce633387480dfe381bfee35faa619545782fb4f70d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqXgY6mn.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqXgY6mn.xlsm

Filesize
21KB

MD5
393b34d3ad9b80e9611c4b857d900104

SHA1
c7464e6ac795454e0bcd5498624325730b50cf22

SHA256
60c3cbf194b995cfffbb92109e67d9f99b53e4f78638d717c2879ab6cb8402d1

SHA512
828452aa2a0c870073a8cfa42a1c34387c5a1d7e3c61f2b1ee1df7fe71a9bf9734687ec2c7830b8ece2be8d84b2b7f9e4db543ebecc8da5997ef5e7de690b123

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqXgY6mn.xlsm

Filesize
22KB

MD5
428f17aaeb0d614ca516668a9b345487

SHA1
64adc1b0eb5936d401e4693d08c7e5c367205b94

SHA256
f518b0d9aa738ffa022538b4eeab8bafce8a411511cf4befbba84e51be606bda

SHA512
1f530bfba1d939e4cdbe879aef1d5f541ca33e9ba8ad2f46c2db3004d8b57c68e7aff9dcbc845fdec2cdc53d3069785a61b3869a2b9cf62b3cc5d9237ca99b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqXgY6mn.xlsm

Filesize
23KB

MD5
654d08f9fe8ec26fee1ef3c4ac73e485

SHA1
07c93f24d5a9b02f97d8c3c672876ab1d81ee352

SHA256
2222d4f9b7ce326f269a89d53a902ef789e180d25e0aa163932b6147bdbf75ba

SHA512
1171459adc34e6b94a52250d4086991170d853dc0f5d8392f6bf9d6f29ed3bded19449dac12db744a82aabfb6ad1acdda9d8802905f6bbdd018637f06f54305d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqXgY6mn.xlsm

Filesize
24KB

MD5
bd455d75df3ef46c8ee10ad31aa1792c

SHA1
047764005aef10e4c9c0b978d643d325176465fc

SHA256
4447bcebfa8184dd767000885097bd1920c8719ed10979b2bec0a3824a2c9db5

SHA512
2f8c8da8bfe1936de72daabeb4a7318bb0fed288bac25806c82de4f5f3a93955a69757a67e9b01c5b92b39916fed13d78dcf21137d46c0b74f6f45964a22883c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqXgY6mn.xlsm

Filesize
25KB

MD5
0b15fa1887612d2968a6b53d8f85970a

SHA1
02919dc31155f6b3f958661de09ce3ce5a7006ee

SHA256
e5dec543bf520cf6592003c457e266313cf07df2562a560b7a4194ec06ba508a

SHA512
2db323050b1ed6ce54a0125dd51e53b5f544006a04b4173504f78b5a94ed3bfd2cc7fd8206945cc52bbe4aed5bc8527a9bfd88ba20709f934ada750e824347f9

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1860-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1860-26-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2088-138-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2088-139-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2088-171-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2532-29-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2756-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2756-137-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2820-38-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads