General

  • Target

    ee37d87ce01671ecb7dd7c9eb5426b10N.exe

  • Size

    116KB

  • Sample

    240804-p2vgvszdlc

  • MD5

    ee37d87ce01671ecb7dd7c9eb5426b10

  • SHA1

    02c8858cc6c51b746e3059adcca632c566783733

  • SHA256

    9fb33c8ef65434d61fe49b663596a60b3c8be3e1168dd4dbc6292555b7227478

  • SHA512

    c5baae3dfa38b45964900ff49801da6f6e02dc4c49e3c12c449a14af9820b1d10f2e905dc40784309013ead92ff7e027d06cfaac40d81f48c1fdb08e2a625431

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMIkt:P5eznsjsguGDFqGZ2rIkt

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      ee37d87ce01671ecb7dd7c9eb5426b10N.exe

    • Size

      116KB

    • MD5

      ee37d87ce01671ecb7dd7c9eb5426b10

    • SHA1

      02c8858cc6c51b746e3059adcca632c566783733

    • SHA256

      9fb33c8ef65434d61fe49b663596a60b3c8be3e1168dd4dbc6292555b7227478

    • SHA512

      c5baae3dfa38b45964900ff49801da6f6e02dc4c49e3c12c449a14af9820b1d10f2e905dc40784309013ead92ff7e027d06cfaac40d81f48c1fdb08e2a625431

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMIkt:P5eznsjsguGDFqGZ2rIkt

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks