General

  • Target

    31f96a500b826eb138c513b5aea86620N.exe

  • Size

    118KB

  • Sample

    240803-cb7chsyhnn

  • MD5

    31f96a500b826eb138c513b5aea86620

  • SHA1

    c5465ee201cb6a6d733f57beb59d2e9c5409fb62

  • SHA256

    5ac8b10d0607caf11a3c1222edf7b5ee3963ad5467eb29da879591808d04ba4e

  • SHA512

    564dcf2ead15559dd1674cc7cf96dea035c8797b13806430ab6a3ed979257ae89e1d1aa18eb9a60483579e7e5f7864cadad025d5bd1ca4880fe256fea034f47d

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLC:P5eznsjsguGDFqGZ2rDLC

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      31f96a500b826eb138c513b5aea86620N.exe

    • Size

      118KB

    • MD5

      31f96a500b826eb138c513b5aea86620

    • SHA1

      c5465ee201cb6a6d733f57beb59d2e9c5409fb62

    • SHA256

      5ac8b10d0607caf11a3c1222edf7b5ee3963ad5467eb29da879591808d04ba4e

    • SHA512

      564dcf2ead15559dd1674cc7cf96dea035c8797b13806430ab6a3ed979257ae89e1d1aa18eb9a60483579e7e5f7864cadad025d5bd1ca4880fe256fea034f47d

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLC:P5eznsjsguGDFqGZ2rDLC

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks