njrat | 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/02/2025, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
Size

121KB
MD5

48437ce3c8bab1b00a75bc774e6ca405
SHA1

e774b8a1fe4be437d43ef7739030172e09ff3aef
SHA256

8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839
SHA512

457be992cce0674710d38b4e3103057e88988cfaed90d5e36d82ac42a03258cc618048545f6fe96bd8e594766485138c7d04220c32b7375e48ae86cf85ea35fd
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg8:P5eznsjsguGDFqGZ2rDL/

Score

10^/10

njrat neuf defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2804	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	chargeable.exe
2864	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
2056	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe"	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2864	2208	chargeable.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe
Token: 33	2864	chargeable.exe
Token: SeIncBasePriorityPrivilege	2864	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2208	2056	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe	29
PID 2056 wrote to memory of 2208	2056	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe	29
PID 2056 wrote to memory of 2208	2056	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe	29
PID 2056 wrote to memory of 2208	2056	8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe	29
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2208 wrote to memory of 2864	2208	chargeable.exe	30
PID 2864 wrote to memory of 2804	2864	chargeable.exe	31
PID 2864 wrote to memory of 2804	2864	chargeable.exe	31
PID 2864 wrote to memory of 2804	2864	chargeable.exe	31
PID 2864 wrote to memory of 2804	2864	chargeable.exe	31

C:\Users\Admin\AppData\Local\Temp\8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
"C:\Users\Admin\AppData\Local\Temp\8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
fa84e4bcc92aa5db735ab50711040cde

SHA1
084f1cb4c47fdd3be1c833f58359ec8e16f61eb4

SHA256
6d7205e794fde4219a62d9692ecddf612663a5cf20399e79be87b851fca4ca33

SHA512
261a327ed1dffd4166e215d17bfd867df5b77017ba72c879fb2675cfb8eef48b374f6de41da0e51ba7adb9c0165bb2c831840603e873f6429963afd0cb93007f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
1ea27366e034eb9447a33ce639c01489

SHA1
d12ed3e7e60c65ce90f0a58b9b9e47292caed923

SHA256
788d210ef206a4d11b6b506bf52124ee03fca4e8a9389fad43772202a7e29452

SHA512
e06f7443f0f7ca5db4411aa0718102c08068e95ec305b6b53c0b42a941a877de39f95c7e7514e69316b41a7ac19eaa6ccddc581fe475bdb842ec920691726e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
0676b91d14c30c339d327857144c24d2

SHA1
83efe361f62d2b5e6f52a151ed47fe8de1401d3d

SHA256
8144d40d3967caeb1d5efb199dd43f35df0c743fa7449441f0830ed3d3ef1040

SHA512
bf1a189b1eb1e0ee63b6124f12eb99ec1901318dde64d6b949eac872cccf71b91f11a2ea2153ce8b7e30fe691667bf6c0f166632f3fd6eda28a5b6ac2ee504e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
409d0fb5ee995083069831413ba89c01

SHA1
b374adb0681455fbfa09deb684ad377746042b42

SHA256
941082570a204f6030bca1292f04b27330793c854a0fe836dcd8eb8fe4011389

SHA512
836822630a23475fde49f4687fe457462e7938aed8e9a0d3b4b1a6833cec7ec4dfeaa5ee6e8a0fca0e3263763b5f980f95efc1cf374af27d668236fcc8ed97ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e61a9f3256719d6f6761c401ab7de530

SHA1
3cc3b62401b92dda90992904c96b2ad71c066c30

SHA256
5fda9fe9ee1490902aa16d5deef3a30b0c021f6712b7915c4eb77558e6a2b306

SHA512
4041ece765c2ed6b49f323c6de55c893c4b8af9af2f716e52a89fba2c62df56abe39c545e4123930fc3acb7079326b842f064100635a1375b277183284b31ce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd178ac381ca4aee5c09bceba385360d

SHA1
0c85d4d22c81ccee8763fa008557dc1b6bbb763e

SHA256
e7f8875e74f5859903f2d825f7f391d1e310605339446340aa1f984d8c6e495f

SHA512
d5543d43485f2164667ca668c6489c72994ed5d30221f25bce86f0098c8b83caceb925f4011d5f2151d05eb3214e32eedfdce545377a6fd8845e5ef21766375b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
96411fdb7c9f56fef6681c5819fbbbc5

SHA1
d9df1218d24fb1161697e0c00b058f22c87e3d88

SHA256
f8ab013a9f6ec44cea1b59a48c6b236228f9d05cb4e4016f7c02c7052b213478

SHA512
bacaeeab5300dbed46b78ecb63aa658f71525c67572707556d86848c07ee3ce105ea2c9e3fd36f72ea5da0cedebfef30823fd7f1e1a702f33de356426dceae69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F9A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FEB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
121KB

MD5
18915bdb93e2629c62b958399ce449f4

SHA1
24aa0844d88a70a7fd28fe020f29ac572863ae13

SHA256
cf7e94866f0d5591557f685948fce8437729aba6136651a8b9e62235c63ac816

SHA512
ee16cc470cb6a1c746b936fc948e4563d291c6c2e1bf51b07621b7a8233f908c26974cf364bd8a6093919b96f8b7b5f83aa8d69f9d28f090eb2fcbbaf586c569

Download Submit
memory/2056-193-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-174-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-171-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

Filesize
4KB

Download
memory/2056-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-353-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2864-355-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2864-356-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads