General

  • Target

    2d36ee83d5349c163250cf5f782d0be89dd882c576682a570d0ae236e8dd1c93.exe

  • Size

    115KB

  • Sample

    240526-j3tn3ach92

  • MD5

    b68c1dc7f15c7a2c348ba64d3b79830a

  • SHA1

    416fdb5760bc35444e85d94211fda90c77debb86

  • SHA256

    2d36ee83d5349c163250cf5f782d0be89dd882c576682a570d0ae236e8dd1c93

  • SHA512

    83da9918538b52173b1446722efde1ccd65845838f508df574d27b479a78f06b770eac2badda0048b53a9e6f82f5dc7b37302b387b120374c624cf83550cdea2

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIy:P5eznsjsguGDFqGZ2rDIy

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      2d36ee83d5349c163250cf5f782d0be89dd882c576682a570d0ae236e8dd1c93.exe

    • Size

      115KB

    • MD5

      b68c1dc7f15c7a2c348ba64d3b79830a

    • SHA1

      416fdb5760bc35444e85d94211fda90c77debb86

    • SHA256

      2d36ee83d5349c163250cf5f782d0be89dd882c576682a570d0ae236e8dd1c93

    • SHA512

      83da9918538b52173b1446722efde1ccd65845838f508df574d27b479a78f06b770eac2badda0048b53a9e6f82f5dc7b37302b387b120374c624cf83550cdea2

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIy:P5eznsjsguGDFqGZ2rDIy

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks