General

  • Target

    01cdee7e4430f4288c71f431d4973910N.exe

  • Size

    116KB

  • Sample

    240731-zq8v8asgll

  • MD5

    01cdee7e4430f4288c71f431d4973910

  • SHA1

    a00acc11232e292cbc4e26a8ee975169e0f34aad

  • SHA256

    36e901beaa9d1df56e89e77dc011a56edd2e1b82dc01f4f5efc3df2a8249048a

  • SHA512

    6e448eeddfd8e2add3359708c327cd226b7bc56099bab01aa8f2ad42fde21ae46afd4ca7173724bc741e87f2714aaedd663d099dbbe1e40afabc66bf54963577

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVMa:P5eznsjsguGDFqGZ2rDL5

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      01cdee7e4430f4288c71f431d4973910N.exe

    • Size

      116KB

    • MD5

      01cdee7e4430f4288c71f431d4973910

    • SHA1

      a00acc11232e292cbc4e26a8ee975169e0f34aad

    • SHA256

      36e901beaa9d1df56e89e77dc011a56edd2e1b82dc01f4f5efc3df2a8249048a

    • SHA512

      6e448eeddfd8e2add3359708c327cd226b7bc56099bab01aa8f2ad42fde21ae46afd4ca7173724bc741e87f2714aaedd663d099dbbe1e40afabc66bf54963577

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVMa:P5eznsjsguGDFqGZ2rDL5

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks