General

  • Target

    31067c01e0dc213be5b157eeaef7a010N.exe

  • Size

    117KB

  • Sample

    240730-3x8etawbmq

  • MD5

    31067c01e0dc213be5b157eeaef7a010

  • SHA1

    396ba9cf480da6c6f74d4eabfe5575ade9d9af0a

  • SHA256

    c10ed05f3dc968cb00791b77193196ebfd593bf1eb943394ad8b45204fdb1e40

  • SHA512

    6d734a1af220c758ad74d18519dd9775ed792600c1be9d4dabdd99c7c4ee8131b844070e5a14244763ed73373f016bb2eb8f9aab7ca12949c802dbcb8d0217e9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLe:P5eznsjsguGDFqGZ2rDLe

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      31067c01e0dc213be5b157eeaef7a010N.exe

    • Size

      117KB

    • MD5

      31067c01e0dc213be5b157eeaef7a010

    • SHA1

      396ba9cf480da6c6f74d4eabfe5575ade9d9af0a

    • SHA256

      c10ed05f3dc968cb00791b77193196ebfd593bf1eb943394ad8b45204fdb1e40

    • SHA512

      6d734a1af220c758ad74d18519dd9775ed792600c1be9d4dabdd99c7c4ee8131b844070e5a14244763ed73373f016bb2eb8f9aab7ca12949c802dbcb8d0217e9

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLe:P5eznsjsguGDFqGZ2rDLe

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks