Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d01941c76c15122c1da56ea88bc3fba0_NeikiAnalytics

  • Size

    114KB

  • Sample

    240509-xvb1yadd47

  • MD5

    d01941c76c15122c1da56ea88bc3fba0

  • SHA1

    faf82a02e1536d4d11f183f344208b0ee39d5178

  • SHA256

    bdd4c71987f7e0d8bdd4d4e8ec91ed729b280dfda65e653eb0d4bb4dccbb8b2f

  • SHA512

    4153d0d2b5b837a543bab2098d2abf5d283f1e89ccedb31c79252f89b183b61c06b0456b796f253218cddc7d7128efdfc3ad76d6bf04ff5d1db5b2f06140d277

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDj:P5eznsjsguGDFqGZ2rDj

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      d01941c76c15122c1da56ea88bc3fba0_NeikiAnalytics

    • Size

      114KB

    • MD5

      d01941c76c15122c1da56ea88bc3fba0

    • SHA1

      faf82a02e1536d4d11f183f344208b0ee39d5178

    • SHA256

      bdd4c71987f7e0d8bdd4d4e8ec91ed729b280dfda65e653eb0d4bb4dccbb8b2f

    • SHA512

      4153d0d2b5b837a543bab2098d2abf5d283f1e89ccedb31c79252f89b183b61c06b0456b796f253218cddc7d7128efdfc3ad76d6bf04ff5d1db5b2f06140d277

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDj:P5eznsjsguGDFqGZ2rDj

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks