General

  • Target

    c59960094e31b847aa66622e08440000N.exe

  • Size

    116KB

  • Sample

    240731-t5adbaxhkd

  • MD5

    c59960094e31b847aa66622e08440000

  • SHA1

    0676b078c28b61fb9f238a2156be884460e781c6

  • SHA256

    48a241b18f8e818b09f142d2481be2a9404d0fec31223053c026585f092f9572

  • SHA512

    0c39da19dc47e0917637de8f420f9156d74fba552f7b52b4d56115f1f7aeea57c563567d35056f7205b622518f3b26c739866982e9c8e270c2c7725e061da11b

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVMc:P5eznsjsguGDFqGZ2rDLj

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      c59960094e31b847aa66622e08440000N.exe

    • Size

      116KB

    • MD5

      c59960094e31b847aa66622e08440000

    • SHA1

      0676b078c28b61fb9f238a2156be884460e781c6

    • SHA256

      48a241b18f8e818b09f142d2481be2a9404d0fec31223053c026585f092f9572

    • SHA512

      0c39da19dc47e0917637de8f420f9156d74fba552f7b52b4d56115f1f7aeea57c563567d35056f7205b622518f3b26c739866982e9c8e270c2c7725e061da11b

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVMc:P5eznsjsguGDFqGZ2rDLj

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks