Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7

  • Size

    115KB

  • Sample

    240522-bcnfcsfc83

  • MD5

    84743b0c88be2cf9eb6874d119cd8299

  • SHA1

    5bba4db84815e84007e8828efa5ca6e46acd250a

  • SHA256

    7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7

  • SHA512

    dce296849d40ecba1d158adbe2f672165feb02bb101bdcb911e7cf5ebe353213611d2a254bdfeeeb33a90560be535bb147df44353d9391f7a9b818d43eb7b7b5

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLS:P5eznsjsguGDFqGZ2rDLS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7

    • Size

      115KB

    • MD5

      84743b0c88be2cf9eb6874d119cd8299

    • SHA1

      5bba4db84815e84007e8828efa5ca6e46acd250a

    • SHA256

      7218c51ff2529378fa8be83f6ecae77444c0d85c5581c9d7f4d40dd62c318ef7

    • SHA512

      dce296849d40ecba1d158adbe2f672165feb02bb101bdcb911e7cf5ebe353213611d2a254bdfeeeb33a90560be535bb147df44353d9391f7a9b818d43eb7b7b5

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLS:P5eznsjsguGDFqGZ2rDLS

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks