General

  • Target

    177812135c5e0ca405a8ca286ddac220N.exe

  • Size

    117KB

  • Sample

    240804-2z7evstbnd

  • MD5

    177812135c5e0ca405a8ca286ddac220

  • SHA1

    a773340ee477417043a5ddba6e792b9f748f49bb

  • SHA256

    b42540e9e3261407279e4fa52c643dded04ce242f4bc5a6bc415c3629cf0f1b1

  • SHA512

    285974e16767745c359dbcaa59e02eb060831cc91615e25777d3493014336ed475ef6c2c3d7a1a4122e2327775af51aa9d4bc266d1d359bdb74ab888ac67182f

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZSRZ:P5eznsjsguGDFqGZ2rDL4Z

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      177812135c5e0ca405a8ca286ddac220N.exe

    • Size

      117KB

    • MD5

      177812135c5e0ca405a8ca286ddac220

    • SHA1

      a773340ee477417043a5ddba6e792b9f748f49bb

    • SHA256

      b42540e9e3261407279e4fa52c643dded04ce242f4bc5a6bc415c3629cf0f1b1

    • SHA512

      285974e16767745c359dbcaa59e02eb060831cc91615e25777d3493014336ed475ef6c2c3d7a1a4122e2327775af51aa9d4bc266d1d359bdb74ab888ac67182f

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZSRZ:P5eznsjsguGDFqGZ2rDL4Z

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks