| File name: | 586f32d3aece4fa92a9d1a7025c081e6.exe |
| Full analysis: | https://app.any.run/tasks/ef1b5a98-80d6-4c1a-a02e-58388c3a0d1f |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | May 17, 2025, 01:33:25 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 586F32D3AECE4FA92A9D1A7025C081E6 |
| SHA1: | 31F65681032B802003E13F0BCAF59C762707D7E9 |
| SHA256: | 0484E1FA67B4ECCDD208258E6052A50E9F3DB9175EDE4D36F73B851D59570045 |
| SSDEEP: | 1536:yxzPzW/pJSB4AHUdIRlKn2OvVC3woFRKpTrr:2zPzW/DLAHUdIRlKnDvBr |
MALICIOUS
Changes the autorun value in the registry
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
NJRAT has been detected (SURICATA)
- chargeable.exe (PID: 7724)
NJRAT has been detected (YARA)
- chargeable.exe (PID: 7724)
NjRAT is detected
- chargeable.exe (PID: 7724)
Connects to the CnC server
- chargeable.exe (PID: 7724)
SUSPICIOUS
Reads security settings of Internet Explorer
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
Starts itself from another location
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
Uses NETSH.EXE to add a firewall rule or allowed programs
- chargeable.exe (PID: 7724)
Contacting a server suspected of hosting an CnC
- chargeable.exe (PID: 7724)
Connects to unusual port
- chargeable.exe (PID: 7724)
Application launched itself
- chargeable.exe (PID: 7608)
- chargeable.exe (PID: 7664)
INFO
Checks supported languages
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7572)
- chargeable.exe (PID: 7608)
- chargeable.exe (PID: 7664)
- chargeable.exe (PID: 7724)
- chargeable.exe (PID: 7772)
Creates files or folders in the user directory
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
Manual execution by a user
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7572)
- chargeable.exe (PID: 7608)
Auto-launch of the file from Registry key
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
Reads the computer name
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7572)
- chargeable.exe (PID: 7608)
- chargeable.exe (PID: 7772)
- chargeable.exe (PID: 7664)
- chargeable.exe (PID: 7724)
Process checks computer location settings
- 586f32d3aece4fa92a9d1a7025c081e6.exe (PID: 7376)
Reads the machine GUID from the registry
- chargeable.exe (PID: 7724)
Checks proxy server information
- slui.exe (PID: 8180)
Reads the software policy settings
- slui.exe (PID: 8180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
NjRat
(PID) Process(7724) chargeable.exe
C2doddyfire.linkpc.net
Ports10000
Botnetneuf
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\e1a87040f2026369a233f9ae76301b7b
Splitter|'|'|
Version0.7d
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:06:11 17:07:31+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 96256 |
| InitializedDataSize: | 1536 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1965e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.28.14.52 |
| ProductVersionNumber: | 1.28.14.52 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | chieftain |
| FileDescription: | approximation |
| FileVersion: | 1.28.14.52 |
| InternalName: | 1.exe |
| LegalCopyright: | aluminium © gluttonous |
| OriginalFileName: | 1.exe |
| ProductName: | frozen |
| ProductVersion: | 1.28.14.52 |
| AssemblyVersion: | 1.28.14.52 |
Total processes
132
Monitored processes
10
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7376 | "C:\Users\admin\Desktop\586f32d3aece4fa92a9d1a7025c081e6.exe" | C:\Users\admin\Desktop\586f32d3aece4fa92a9d1a7025c081e6.exe | explorer.exe | ||||||||||||
User: admin Company: chieftain Integrity Level: MEDIUM Description: approximation Exit code: 0 Version: 1.28.14.52 Modules
| |||||||||||||||
| 7572 | C:\Users\admin\Desktop\586f32d3aece4fa92a9d1a7025c081e6.exe | C:\Users\admin\Desktop\586f32d3aece4fa92a9d1a7025c081e6.exe | — | explorer.exe | |||||||||||
User: admin Company: chieftain Integrity Level: MEDIUM Description: approximation Exit code: 0 Version: 1.28.14.52 Modules
| |||||||||||||||
| 7608 | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | — | explorer.exe | |||||||||||
User: admin Company: chieftain Integrity Level: MEDIUM Description: approximation Exit code: 0 Version: 1.28.14.52 Modules
| |||||||||||||||
| 7664 | "C:\Users\admin\AppData\Roaming\confuse\chargeable.exe" | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | — | 586f32d3aece4fa92a9d1a7025c081e6.exe | |||||||||||
User: admin Company: chieftain Integrity Level: MEDIUM Description: approximation Exit code: 0 Version: 1.28.14.52 Modules
| |||||||||||||||
| 7724 | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | chargeable.exe | ||||||||||||
User: admin Company: chieftain Integrity Level: MEDIUM Description: approximation Version: 1.28.14.52 Modules
NjRat(PID) Process(7724) chargeable.exe C2doddyfire.linkpc.net Ports10000 Botnetneuf Options Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\e1a87040f2026369a233f9ae76301b7b Splitter|'|'| Version0.7d | |||||||||||||||
| 7772 | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | — | chargeable.exe | |||||||||||
User: admin Company: chieftain Integrity Level: MEDIUM Description: approximation Exit code: 0 Version: 1.28.14.52 Modules
| |||||||||||||||
| 7884 | netsh firewall add allowedprogram "C:\Users\admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE | C:\Windows\SysWOW64\netsh.exe | — | chargeable.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7892 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8180 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 286
Read events
6 274
Write events
12
Delete events
0
Modification events
| (PID) Process: | (7376) 586f32d3aece4fa92a9d1a7025c081e6.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | confuse |
Value: C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | |||
| (PID) Process: | (7376) 586f32d3aece4fa92a9d1a7025c081e6.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | SysMain |
Value: C:\Users\admin\Desktop\586f32d3aece4fa92a9d1a7025c081e6.exe | |||
| (PID) Process: | (7376) 586f32d3aece4fa92a9d1a7025c081e6.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (7724) chargeable.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | write | Name: | SEE_MASK_NOZONECHECKS |
Value: 1 | |||
| (PID) Process: | (7724) chargeable.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\e1a87040f2026369a233f9ae76301b7b |
| Operation: | write | Name: | [kl] |
Value: | |||
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7376 | 586f32d3aece4fa92a9d1a7025c081e6.exe | C:\Users\admin\AppData\Roaming\confuse\chargeable.exe | binary | |
MD5:09F9A644D35227A9A313C6CAAFE010BE | SHA256:A1862257A2D90131433A8A863B6FA207BA44B5E57DBD89F963692A6DD1A61B18 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
42
DNS requests
5
Threats
64
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7724 | chargeable.exe | 196.119.86.83:10000 | doddyfire.linkpc.net | ASMedi | MA | whitelisted |
5176 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8180 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
doddyfire.linkpc.net |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potentially Bad Traffic | ET DYN_DNS Observed DNS Query to DynDNS Domain (linkpc .net) |
7724 | chargeable.exe | Misc activity | ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format |
7724 | chargeable.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
7724 | chargeable.exe | Malware Command and Control Activity Detected | BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll |
7724 | chargeable.exe | Misc activity | ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format |
7724 | chargeable.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |
7724 | chargeable.exe | Malware Command and Control Activity Detected | BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll |
7724 | chargeable.exe | Misc activity | ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format |
7724 | chargeable.exe | Malware Command and Control Activity Detected | BACKDOOR [ANY.RUN] njRAT Bladabindi CnC Communication command ll |
7724 | chargeable.exe | Malware Command and Control Activity Detected | ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) |