General

  • Target

    58d2ae4ceed62902138c2f5213e55840N.exe

  • Size

    116KB

  • Sample

    240805-gp86gsydjl

  • MD5

    58d2ae4ceed62902138c2f5213e55840

  • SHA1

    0722c4ef53f21d9b6aa149d3d09c17d2615d9da4

  • SHA256

    d42f02228901e0d1a7501501071cd96323e67cb6c5d2740dd967efbe28bffaa4

  • SHA512

    fe675854435b6e7b39a3037988df4844e947da936bf3112b6d1f27dc8bfb0efadf07f3647d0440b5460dd531f8f9f61aae4de8c630fd2ce9cd05f640758d37c2

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMz:P5eznsjsguGDFqGZ2rz

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      58d2ae4ceed62902138c2f5213e55840N.exe

    • Size

      116KB

    • MD5

      58d2ae4ceed62902138c2f5213e55840

    • SHA1

      0722c4ef53f21d9b6aa149d3d09c17d2615d9da4

    • SHA256

      d42f02228901e0d1a7501501071cd96323e67cb6c5d2740dd967efbe28bffaa4

    • SHA512

      fe675854435b6e7b39a3037988df4844e947da936bf3112b6d1f27dc8bfb0efadf07f3647d0440b5460dd531f8f9f61aae4de8c630fd2ce9cd05f640758d37c2

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMz:P5eznsjsguGDFqGZ2rz

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks