General
-
Target
1e7da62945110b7089e04aaf6e5a51a0N.exe
-
Size
118KB
-
Sample
240720-2wlzrayhmb
-
MD5
1e7da62945110b7089e04aaf6e5a51a0
-
SHA1
f93f93be654fb638c5088a23f964624d4c5f8cb9
-
SHA256
f93a07b9db9e6b6b8b9a33764bbdbbc94de3c0f964adad8a75afc10e5af7de45
-
SHA512
ca5398546830cdeb579daab62eab74971ec27918b60b53d6d016705d48fc10108c5e35087455dc10b98e759699b478fc61113d4a2ab8d613d6065e968b1b3a4d
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL143T:P5eznsjsguGDFqGZ2rDL143T
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Targets
-
-
Target
1e7da62945110b7089e04aaf6e5a51a0N.exe
-
Size
118KB
-
MD5
1e7da62945110b7089e04aaf6e5a51a0
-
SHA1
f93f93be654fb638c5088a23f964624d4c5f8cb9
-
SHA256
f93a07b9db9e6b6b8b9a33764bbdbbc94de3c0f964adad8a75afc10e5af7de45
-
SHA512
ca5398546830cdeb579daab62eab74971ec27918b60b53d6d016705d48fc10108c5e35087455dc10b98e759699b478fc61113d4a2ab8d613d6065e968b1b3a4d
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL143T:P5eznsjsguGDFqGZ2rDL143T
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1