General

  • Target

    22df937e33e8a560430b38ed85a38f28.exe

  • Size

    114KB

  • Sample

    240731-bny18stbnb

  • MD5

    22df937e33e8a560430b38ed85a38f28

  • SHA1

    1af219469049cf0fb521c949fbf4e43a4fdb1154

  • SHA256

    dec10b8896db38cadc312a885bd9022c9519679e0cef018288e2e3ae447fcb70

  • SHA512

    e9393f2f60cd580c8f1809e6779f3613466a5a2cbec9cf1afb84350df66a71aaefa91a5bcd33bc8d9e32252da8f654fdfc060739bc3c625cc93f93f1375c7a1f

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMd18x:P5eznsjsguGDFqGZ2r7y

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      22df937e33e8a560430b38ed85a38f28.exe

    • Size

      114KB

    • MD5

      22df937e33e8a560430b38ed85a38f28

    • SHA1

      1af219469049cf0fb521c949fbf4e43a4fdb1154

    • SHA256

      dec10b8896db38cadc312a885bd9022c9519679e0cef018288e2e3ae447fcb70

    • SHA512

      e9393f2f60cd580c8f1809e6779f3613466a5a2cbec9cf1afb84350df66a71aaefa91a5bcd33bc8d9e32252da8f654fdfc060739bc3c625cc93f93f1375c7a1f

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMd18x:P5eznsjsguGDFqGZ2r7y

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks