General

  • Target

    81da4d2e8959ba7ac4f0418c93f2ae10N.exe

  • Size

    112KB

  • Sample

    240805-mxtcwsxgmg

  • MD5

    81da4d2e8959ba7ac4f0418c93f2ae10

  • SHA1

    51bfe616f962421862e7658bca571e5e2768ac63

  • SHA256

    5f1926eb97deea59325f770225611590a6a4979023f7d64904981df22a3e07b0

  • SHA512

    d91681ba5970d68a090484004506ae373991c76e3d347a8510b336f551758993665481370dd8577eb580af2180d4eb6863dc542cd3c9ad5f3a415d95a2ceede8

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73aB:w5eznsjsguGDFqGx8egoxmO3raB

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      81da4d2e8959ba7ac4f0418c93f2ae10N.exe

    • Size

      112KB

    • MD5

      81da4d2e8959ba7ac4f0418c93f2ae10

    • SHA1

      51bfe616f962421862e7658bca571e5e2768ac63

    • SHA256

      5f1926eb97deea59325f770225611590a6a4979023f7d64904981df22a3e07b0

    • SHA512

      d91681ba5970d68a090484004506ae373991c76e3d347a8510b336f551758993665481370dd8577eb580af2180d4eb6863dc542cd3c9ad5f3a415d95a2ceede8

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73aB:w5eznsjsguGDFqGx8egoxmO3raB

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks