General

  • Target

    0a9098bba351186ee13496207e7334293067b56fee60e9f9dfdf3e9ed1c1964d.exe

  • Size

    116KB

  • Sample

    240804-2hnanasfkg

  • MD5

    5d4a1b7be87a7affc29bd90fe5176b90

  • SHA1

    dfde898da048b622074973fc62db27746618ee4a

  • SHA256

    0a9098bba351186ee13496207e7334293067b56fee60e9f9dfdf3e9ed1c1964d

  • SHA512

    6c7915da5d8afa64ad4e0c8fbdc8f18a6afe78fc0906ca0d80c31e543a78d0e9fef832e14ac508e444a083deab5b3a706a2e3717fd583cc5722c575c5250603d

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVMo:P5eznsjsguGDFqGZ2rDLr

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      0a9098bba351186ee13496207e7334293067b56fee60e9f9dfdf3e9ed1c1964d.exe

    • Size

      116KB

    • MD5

      5d4a1b7be87a7affc29bd90fe5176b90

    • SHA1

      dfde898da048b622074973fc62db27746618ee4a

    • SHA256

      0a9098bba351186ee13496207e7334293067b56fee60e9f9dfdf3e9ed1c1964d

    • SHA512

      6c7915da5d8afa64ad4e0c8fbdc8f18a6afe78fc0906ca0d80c31e543a78d0e9fef832e14ac508e444a083deab5b3a706a2e3717fd583cc5722c575c5250603d

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVMo:P5eznsjsguGDFqGZ2rDLr

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks