General

  • Target

    d002658654c975947f9f605cb13eec30N.exe

  • Size

    118KB

  • Sample

    240803-xrrbfssdlp

  • MD5

    d002658654c975947f9f605cb13eec30

  • SHA1

    6f4a7c628a4899892276399308184e2db5d71ad5

  • SHA256

    782c435f307bc501180345266abad2dd01a8c555890e7df72537e7c1bb1130ac

  • SHA512

    e22b30e2aceb1191abee5752d7221d11e5e9218e8474ac9156ebec86e8a845968e366d9396ca474a51adbad0814af9a097d74618bdc6f0f3fcda615989f1186d

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLfQ:P5eznsjsguGDFqGZ2rDLfQ

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      d002658654c975947f9f605cb13eec30N.exe

    • Size

      118KB

    • MD5

      d002658654c975947f9f605cb13eec30

    • SHA1

      6f4a7c628a4899892276399308184e2db5d71ad5

    • SHA256

      782c435f307bc501180345266abad2dd01a8c555890e7df72537e7c1bb1130ac

    • SHA512

      e22b30e2aceb1191abee5752d7221d11e5e9218e8474ac9156ebec86e8a845968e366d9396ca474a51adbad0814af9a097d74618bdc6f0f3fcda615989f1186d

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLfQ:P5eznsjsguGDFqGZ2rDLfQ

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks