General

  • Target

    e4bfe376f80ed041c1106ee775c6a7b0N.exe

  • Size

    112KB

  • Sample

    240804-hg8enayeqm

  • MD5

    e4bfe376f80ed041c1106ee775c6a7b0

  • SHA1

    dfa177f421ff5793c264a6151a6b59729ddc86c0

  • SHA256

    d200723933e53e242f2647eff5941bf1b256fe4b1a67b475847f3e47449b63fd

  • SHA512

    8f5b5a2a67cd43be5a6cbf91640a6c7c5fed293fb562a9e2903325bf9006e3021c75a522f9a5595daba776dba5b92e8ebb23582e2a54033099be2a5574c8c92d

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73T3:w5eznsjsguGDFqGx8egoxmO3rT3

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      e4bfe376f80ed041c1106ee775c6a7b0N.exe

    • Size

      112KB

    • MD5

      e4bfe376f80ed041c1106ee775c6a7b0

    • SHA1

      dfa177f421ff5793c264a6151a6b59729ddc86c0

    • SHA256

      d200723933e53e242f2647eff5941bf1b256fe4b1a67b475847f3e47449b63fd

    • SHA512

      8f5b5a2a67cd43be5a6cbf91640a6c7c5fed293fb562a9e2903325bf9006e3021c75a522f9a5595daba776dba5b92e8ebb23582e2a54033099be2a5574c8c92d

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73T3:w5eznsjsguGDFqGx8egoxmO3rT3

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks