General

  • Target

    7D9BDFD79D19C3747B6C8A901A87A6CB.exe

  • Size

    118KB

  • Sample

    240806-16rsbawdpf

  • MD5

    7d9bdfd79d19c3747b6c8a901a87a6cb

  • SHA1

    bc1172b55a0444a917ee38da653258366d21b6a0

  • SHA256

    3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b

  • SHA512

    e8c14a6643776b9111f90e2a73f182970327cc562d1602dd78724be0b037136766b775161fd09bacc6692040d2e1da1fe3d286a01f078dff5f8c1c9f4a73a4c9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOA:P5eznsjsguGDFqGZ2rDL14FOA

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      7D9BDFD79D19C3747B6C8A901A87A6CB.exe

    • Size

      118KB

    • MD5

      7d9bdfd79d19c3747b6c8a901a87a6cb

    • SHA1

      bc1172b55a0444a917ee38da653258366d21b6a0

    • SHA256

      3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b

    • SHA512

      e8c14a6643776b9111f90e2a73f182970327cc562d1602dd78724be0b037136766b775161fd09bacc6692040d2e1da1fe3d286a01f078dff5f8c1c9f4a73a4c9

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOA:P5eznsjsguGDFqGZ2rDL14FOA

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks