General

  • Target

    0913864b29f64f75b6ddb8b2adc60f1af4096314c93545637f89379dec630228

  • Size

    118KB

  • Sample

    240807-w8l8dssapm

  • MD5

    c5e1a9165704a33665b8fc5690da6775

  • SHA1

    bf3044c4bd9318272c1c7294e37a89f3fed9688c

  • SHA256

    0913864b29f64f75b6ddb8b2adc60f1af4096314c93545637f89379dec630228

  • SHA512

    ba973f2c9ad9df046d338a91e3c33adffd84cbab6ba79c39cdc9b1c4ef8a40ff0303e338de224b797506cb5c922429a0706353734a744b8112853424aae7631e

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZlw:P5eznsjsguGDFqGZ2rDLA

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      0913864b29f64f75b6ddb8b2adc60f1af4096314c93545637f89379dec630228

    • Size

      118KB

    • MD5

      c5e1a9165704a33665b8fc5690da6775

    • SHA1

      bf3044c4bd9318272c1c7294e37a89f3fed9688c

    • SHA256

      0913864b29f64f75b6ddb8b2adc60f1af4096314c93545637f89379dec630228

    • SHA512

      ba973f2c9ad9df046d338a91e3c33adffd84cbab6ba79c39cdc9b1c4ef8a40ff0303e338de224b797506cb5c922429a0706353734a744b8112853424aae7631e

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZlw:P5eznsjsguGDFqGZ2rDLA

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks