General

  • Target

    d942687f18668cdb6a76d4dd4c7cf4a0N.exe

  • Size

    111KB

  • Sample

    240803-2r256sseqd

  • MD5

    d942687f18668cdb6a76d4dd4c7cf4a0

  • SHA1

    8ae2a914a8684dbcdb43005ffc99c50315fbd2ac

  • SHA256

    7a4ca29fa76bb4272f926d34e936a1d670ad3f8f81f938d7c2aadf4637fd895e

  • SHA512

    c41dc9359285d7580e7b79c33fb2ff5f7a03a3d47292689f0bc722f32924807510c086527b50d77f0d8ff5d35494b32d399163e2305930475f02f1dca829670f

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73TW+:w5eznsjsguGDFqGx8egoxmO3rTW+

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      d942687f18668cdb6a76d4dd4c7cf4a0N.exe

    • Size

      111KB

    • MD5

      d942687f18668cdb6a76d4dd4c7cf4a0

    • SHA1

      8ae2a914a8684dbcdb43005ffc99c50315fbd2ac

    • SHA256

      7a4ca29fa76bb4272f926d34e936a1d670ad3f8f81f938d7c2aadf4637fd895e

    • SHA512

      c41dc9359285d7580e7b79c33fb2ff5f7a03a3d47292689f0bc722f32924807510c086527b50d77f0d8ff5d35494b32d399163e2305930475f02f1dca829670f

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73TW+:w5eznsjsguGDFqGx8egoxmO3rTW+

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks