General

  • Target

    f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f

  • Size

    116KB

  • Sample

    240811-evbfasydqg

  • MD5

    2aa632496e8fcc2d350f40fc2c783454

  • SHA1

    ce2b94d7a3a8f1f10b294bf614d05636d38b65ea

  • SHA256

    f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f

  • SHA512

    c30dd0d9463d619036961b8338eb13d9d9b5b5f7b5ebacb90a72bd1e3e32b6b064024c8a018d16b6dcad9d9cb687e1e6f610a96a3b826d650d7fae1868e31b5a

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLi:P5eznsjsguGDFqGZ2rDLi

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f

    • Size

      116KB

    • MD5

      2aa632496e8fcc2d350f40fc2c783454

    • SHA1

      ce2b94d7a3a8f1f10b294bf614d05636d38b65ea

    • SHA256

      f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f

    • SHA512

      c30dd0d9463d619036961b8338eb13d9d9b5b5f7b5ebacb90a72bd1e3e32b6b064024c8a018d16b6dcad9d9cb687e1e6f610a96a3b826d650d7fae1868e31b5a

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLi:P5eznsjsguGDFqGZ2rDLi

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks