General

  • Target

    b3b8760694afb936a598a3c8ac476080N.exe

  • Size

    114KB

  • Sample

    240813-be7l1s1dkn

  • MD5

    b3b8760694afb936a598a3c8ac476080

  • SHA1

    caad05a5fde719bafa3f1acf96b0a61604b1d579

  • SHA256

    36d1196e9a0ed69fc4648f126c265a3c5d7be8891ed3cba9265ec73e59b2f460

  • SHA512

    ae4b1116a381797944069ef2e4b2746e3cabf63ef6aeede455ece3eb8e7b55ce7c1658d157a29f3b1a82e81cf1b830f9804fdd0400eeeb38d97cd0fad6689318

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuM16:P5eznsjsguGDFqGZ2rY

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      b3b8760694afb936a598a3c8ac476080N.exe

    • Size

      114KB

    • MD5

      b3b8760694afb936a598a3c8ac476080

    • SHA1

      caad05a5fde719bafa3f1acf96b0a61604b1d579

    • SHA256

      36d1196e9a0ed69fc4648f126c265a3c5d7be8891ed3cba9265ec73e59b2f460

    • SHA512

      ae4b1116a381797944069ef2e4b2746e3cabf63ef6aeede455ece3eb8e7b55ce7c1658d157a29f3b1a82e81cf1b830f9804fdd0400eeeb38d97cd0fad6689318

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuM16:P5eznsjsguGDFqGZ2rY

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks