General

  • Target

    85c54864ec45f32945e485809b6ad8dbde2237dc91ed7bea562515916b6235fd

  • Size

    112KB

  • Sample

    240805-3nnztawdjd

  • MD5

    c82f3b55262fb14cbbc8eb8359e2281d

  • SHA1

    39c49ec1146cea35d54d90586e3a865556008b68

  • SHA256

    85c54864ec45f32945e485809b6ad8dbde2237dc91ed7bea562515916b6235fd

  • SHA512

    e16502e8efee462d59e5f0f76bf4ba9fdaf02c39e26371007c8b6ece0dbf2a874d458cfdce537ef715ffa0e5c5672aab43f4bfbc43a24b178b73301ae1b231b9

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73TX:w5eznsjsguGDFqGx8egoxmO3rTX

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      85c54864ec45f32945e485809b6ad8dbde2237dc91ed7bea562515916b6235fd

    • Size

      112KB

    • MD5

      c82f3b55262fb14cbbc8eb8359e2281d

    • SHA1

      39c49ec1146cea35d54d90586e3a865556008b68

    • SHA256

      85c54864ec45f32945e485809b6ad8dbde2237dc91ed7bea562515916b6235fd

    • SHA512

      e16502e8efee462d59e5f0f76bf4ba9fdaf02c39e26371007c8b6ece0dbf2a874d458cfdce537ef715ffa0e5c5672aab43f4bfbc43a24b178b73301ae1b231b9

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73TX:w5eznsjsguGDFqGx8egoxmO3rTX

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks