General

  • Target

    49662dc212b6d65608e8a3a4eaae3317.exe

  • Size

    118KB

  • Sample

    240805-anpl5avelg

  • MD5

    49662dc212b6d65608e8a3a4eaae3317

  • SHA1

    9d197ec092c4b7970e29997f077d8937002e919a

  • SHA256

    ca556149fa9f0ba30343e099d1d852bcf3eba68c718482c8b8f209b8cf72efb4

  • SHA512

    ebb844b6d059865f1ffd902490e0f178a08de2e78ddd565d34452d8b1a6a761028fce6b71c8663fb1b35563713f1b9ad479d49aaf90f410e7434449f6645585b

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLJU:P5eznsjsguGDFqGZ2rDLu

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      49662dc212b6d65608e8a3a4eaae3317.exe

    • Size

      118KB

    • MD5

      49662dc212b6d65608e8a3a4eaae3317

    • SHA1

      9d197ec092c4b7970e29997f077d8937002e919a

    • SHA256

      ca556149fa9f0ba30343e099d1d852bcf3eba68c718482c8b8f209b8cf72efb4

    • SHA512

      ebb844b6d059865f1ffd902490e0f178a08de2e78ddd565d34452d8b1a6a761028fce6b71c8663fb1b35563713f1b9ad479d49aaf90f410e7434449f6645585b

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLJU:P5eznsjsguGDFqGZ2rDLu

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks