General

  • Target

    3e6c291122fb5de9f4a7d38c12b60183fa57a6c5dfeaa9911c6da0b9474ff471

  • Size

    118KB

  • Sample

    240806-zmeszazfkj

  • MD5

    601bd6bf8366d33d06de5f6720541eb0

  • SHA1

    8163f1c7e8d31b2dc22c506e410ea651e9ba179f

  • SHA256

    3e6c291122fb5de9f4a7d38c12b60183fa57a6c5dfeaa9911c6da0b9474ff471

  • SHA512

    acedaa904d5e483f60f1481123821e30a21ee61a25149bb2f4cd55ba76b19035c94555982102b3f26db6e16bf4a14c328892aec607248a95f0759e2b4c48e59b

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLfz:P5eznsjsguGDFqGZ2rDLfz

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      3e6c291122fb5de9f4a7d38c12b60183fa57a6c5dfeaa9911c6da0b9474ff471

    • Size

      118KB

    • MD5

      601bd6bf8366d33d06de5f6720541eb0

    • SHA1

      8163f1c7e8d31b2dc22c506e410ea651e9ba179f

    • SHA256

      3e6c291122fb5de9f4a7d38c12b60183fa57a6c5dfeaa9911c6da0b9474ff471

    • SHA512

      acedaa904d5e483f60f1481123821e30a21ee61a25149bb2f4cd55ba76b19035c94555982102b3f26db6e16bf4a14c328892aec607248a95f0759e2b4c48e59b

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLfz:P5eznsjsguGDFqGZ2rDLfz

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks