General

  • Target

    ce56e343737fa826188d56d1d5e373f0N.exe

  • Size

    112KB

  • Sample

    240803-w6klsawdkb

  • MD5

    ce56e343737fa826188d56d1d5e373f0

  • SHA1

    174aa3e274078a5ed8ecdf0e5d2060bc7fd58976

  • SHA256

    2fc70e5f0958ae3ae16b50b1147e52a61dfedf48ceb5170b74ecd9d5de604333

  • SHA512

    84717816a91cce867b39e77cf6fd0e6e9116ff7fd700b2e29bc13e9484a7f0bf5e9a9f246698dd43b887c888335117283642904f830fb3da446dcfdb18598a81

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73Tw:w5eznsjsguGDFqGx8egoxmO3rTw

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      ce56e343737fa826188d56d1d5e373f0N.exe

    • Size

      112KB

    • MD5

      ce56e343737fa826188d56d1d5e373f0

    • SHA1

      174aa3e274078a5ed8ecdf0e5d2060bc7fd58976

    • SHA256

      2fc70e5f0958ae3ae16b50b1147e52a61dfedf48ceb5170b74ecd9d5de604333

    • SHA512

      84717816a91cce867b39e77cf6fd0e6e9116ff7fd700b2e29bc13e9484a7f0bf5e9a9f246698dd43b887c888335117283642904f830fb3da446dcfdb18598a81

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73Tw:w5eznsjsguGDFqGx8egoxmO3rTw

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks