njrat | 667cb510540d8e7a6cd30007d30a8ca11110dde57bd03d2cbf87ca6b7868bdb9

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea4dcd11b7f7e40bb76cc5d43c0246f.exe
Size

97KB
MD5

eea4dcd11b7f7e40bb76cc5d43c0246f
SHA1

91847b99e1d157c1560e7e1578c8f58bba2297be
SHA256

aec2e4e9a10fca3c6c14da1931179fc80a6176986bc6ff24656a7efa367a53c5
SHA512

5c22f16fe6f9c612fa2a2485c443644bb7dfbc2c601b57a8e74cc53263ea7240aaa1c3ef99aafdfb4db46467113ce31ce269e6dda0ed19b723c19c0529dc7845
SSDEEP

1536:MYxlY23kGwgMBUQGum2U8aVCguHEvQEbFeDVC3woFRKpTded:DlY23kg3sguGDFaXed

Score

10^/10

njrat neuf defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1444	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	eea4dcd11b7f7e40bb76cc5d43c0246f.exe

Executes dropped EXE 2 IoCs

pid	Process
1784	chargeable.exe
4796	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	eea4dcd11b7f7e40bb76cc5d43c0246f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eea4dcd11b7f7e40bb76cc5d43c0246f.exe"	eea4dcd11b7f7e40bb76cc5d43c0246f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 4796	1784	chargeable.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eea4dcd11b7f7e40bb76cc5d43c0246f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe
Token: 33	4796	chargeable.exe
Token: SeIncBasePriorityPrivilege	4796	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5860 wrote to memory of 1784	5860	eea4dcd11b7f7e40bb76cc5d43c0246f.exe	91
PID 5860 wrote to memory of 1784	5860	eea4dcd11b7f7e40bb76cc5d43c0246f.exe	91
PID 5860 wrote to memory of 1784	5860	eea4dcd11b7f7e40bb76cc5d43c0246f.exe	91
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 1784 wrote to memory of 4796	1784	chargeable.exe	93
PID 4796 wrote to memory of 1444	4796	chargeable.exe	95
PID 4796 wrote to memory of 1444	4796	chargeable.exe	95
PID 4796 wrote to memory of 1444	4796	chargeable.exe	95

C:\Users\Admin\AppData\Local\Temp\eea4dcd11b7f7e40bb76cc5d43c0246f.exe
"C:\Users\Admin\AppData\Local\Temp\eea4dcd11b7f7e40bb76cc5d43c0246f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5860
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1444

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=170EEC9261CF67F7068BF92560E8664B; domain=.bing.com; expires=Thu, 16-Apr-2026 06:38:44 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B4A766C5CBDD444B90F880EBE0214444 Ref B: LON04EDGE0609 Ref C: 2025-03-22T06:38:44Z
date: Sat, 22 Mar 2025 06:38:44 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=170EEC9261CF67F7068BF92560E8664B

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=4fRfS7cHdDHzSZ5w0wrUL8fg6hZ1-K70k8wkitG2zk0; domain=.bing.com; expires=Thu, 16-Apr-2026 06:38:44 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C9B13C02ACA142DAB1927491BF18D04B Ref B: LON04EDGE0609 Ref C: 2025-03-22T06:38:44Z
date: Sat, 22 Mar 2025 06:38:44 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=170EEC9261CF67F7068BF92560E8664B; MSPTC=4fRfS7cHdDHzSZ5w0wrUL8fg6hZ1-K70k8wkitG2zk0

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 98E9731606B94617956522AAC8492063 Ref B: LON04EDGE0609 Ref C: 2025-03-22T06:38:44Z
date: Sat, 22 Mar 2025 06:38:44 GMT
DNS

doddyfire.linkpc.net

chargeable.exe

Remote address:

8.8.8.8:53

Request

doddyfire.linkpc.net

IN A

Response

doddyfire.linkpc.net

IN A

196.119.34.23
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360172398_1SAKF1TLLO2IFUJXJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360172398_1SAKF1TLLO2IFUJXJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 435187
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D1DF77CE18854BD8BCCBE4BEDF54F6E0 Ref B: LON04EDGE1108 Ref C: 2025-03-22T06:39:13Z
date: Sat, 22 Mar 2025 06:39:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 470688
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8A3F06AA9AD74C069B9F276CBA5D69FE Ref B: LON04EDGE1108 Ref C: 2025-03-22T06:39:13Z
date: Sat, 22 Mar 2025 06:39:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301116_1M7A7DN1J7VJ6Q24K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301116_1M7A7DN1J7VJ6Q24K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 533370
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BA210DD61A194FCE8D629C5074CDD295 Ref B: LON04EDGE1108 Ref C: 2025-03-22T06:39:13Z
date: Sat, 22 Mar 2025 06:39:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301549_1BX85FTNXWTEEC6IG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301549_1BX85FTNXWTEEC6IG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 470059
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 79BEEBDB46CF4F5095A51959A43929A1 Ref B: LON04EDGE1108 Ref C: 2025-03-22T06:39:13Z
date: Sat, 22 Mar 2025 06:39:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360172384_1T8ZHTG4V2CH7K983&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360172384_1T8ZHTG4V2CH7K983&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 482575
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2C102E123A004527A669FFA6B6F63009 Ref B: LON04EDGE1108 Ref C: 2025-03-22T06:39:13Z
date: Sat, 22 Mar 2025 06:39:13 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Sat, 22 Mar 2025 06:22:22 GMT
Expires: Sat, 22 Mar 2025 07:12:22 GMT
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
Age: 1042

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

tls, http2

2.0kB
9.4kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0d4c7638a2a74bbfa3149156d7bd926c&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

HTTP Response

204
196.119.34.23:10000

doddyfire.linkpc.net

chargeable.exe

260 B
5
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

67.0kB
1.9MB
1391
1390

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360172398_1SAKF1TLLO2IFUJXJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360432410_1ZT9L3WG863INPZDE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301116_1M7A7DN1J7VJ6Q24K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301549_1BX85FTNXWTEEC6IG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360172384_1T8ZHTG4V2CH7K983&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360432411_13QPWJ00JGY7I4CI1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.1kB
6.9kB
14
13
196.119.34.23:10000

doddyfire.linkpc.net

chargeable.exe

260 B
5
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

476 B
395 B
6
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304
196.119.34.23:10000

doddyfire.linkpc.net

chargeable.exe

260 B
5
196.119.34.23:10000

doddyfire.linkpc.net

chargeable.exe

260 B
5
196.119.34.23:10000

doddyfire.linkpc.net

chargeable.exe

260 B
5
196.119.34.23:10000

doddyfire.linkpc.net

chargeable.exe

208 B
4

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

doddyfire.linkpc.net

dns

chargeable.exe

66 B
82 B
1
1

DNS Request

doddyfire.linkpc.net

DNS Response

196.119.34.23
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
97KB

MD5
1d430a6a9af74d2eb20f21dad2e89155

SHA1
11bc4f9d7b394d055552526e9af1593b154ac9e9

SHA256
4af136f89f05d033270802ad42dded4b6cffff830e0c5b895929345136da923b

SHA512
4c198cf8134dc2c6a74adf8e7a3bbe3eb73c28ddb221d9c6b2b9c72ec9cc86921defd9836a648585243a093bdf14d1607f53d660355a778dd010058eea4fab58

Download Submit
memory/1784-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1784-20-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1784-22-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1784-21-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4796-29-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4796-30-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4796-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4796-28-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/5860-19-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/5860-6-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/5860-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/5860-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/5860-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/5860-7-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.