General

  • Target

    f38ea4eeb7c16fcd33716808405a6e30N.exe

  • Size

    115KB

  • Sample

    240804-tsj2zstfkb

  • MD5

    f38ea4eeb7c16fcd33716808405a6e30

  • SHA1

    b0ddfd8f339747553280195be9b35ec37f399588

  • SHA256

    7d1e7582956758b1f576ef63859ff499fe858696617f9eed53c86cd35930ef2f

  • SHA512

    a37a8ebb4fcd0f9afb397b89b596b035aee6d7a9800479b4a9165280b15a0da67a72ddcecef18998cd9ad884f6309e4bff6d6a3514724b2eb7ddf4e6ce78d936

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMhI:P5eznsjsguGDFqGZ2rhI

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      f38ea4eeb7c16fcd33716808405a6e30N.exe

    • Size

      115KB

    • MD5

      f38ea4eeb7c16fcd33716808405a6e30

    • SHA1

      b0ddfd8f339747553280195be9b35ec37f399588

    • SHA256

      7d1e7582956758b1f576ef63859ff499fe858696617f9eed53c86cd35930ef2f

    • SHA512

      a37a8ebb4fcd0f9afb397b89b596b035aee6d7a9800479b4a9165280b15a0da67a72ddcecef18998cd9ad884f6309e4bff6d6a3514724b2eb7ddf4e6ce78d936

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMhI:P5eznsjsguGDFqGZ2rhI

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks