General

  • Target

    76bfb683aa72f819a5013ef0ff2bdf80N.exe

  • Size

    116KB

  • Sample

    240813-lx4ces1hmk

  • MD5

    76bfb683aa72f819a5013ef0ff2bdf80

  • SHA1

    ced6e9df5bd75c78a2300553c465dd77bc78f406

  • SHA256

    9ec1fe32c7553b58be4bb840ca7c32b665141a8d9f31d3eccaa02b4bef8783f1

  • SHA512

    479f595426a604542531a702299d35c624d3129aaa457d7efcdcbac6dd5f35a5e16915dd0e1599d4eaa8888e4557d1796e033b39bcca105647ffccf504641298

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZM:P5eznsjsguGDFqGZ2rDLZM

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      76bfb683aa72f819a5013ef0ff2bdf80N.exe

    • Size

      116KB

    • MD5

      76bfb683aa72f819a5013ef0ff2bdf80

    • SHA1

      ced6e9df5bd75c78a2300553c465dd77bc78f406

    • SHA256

      9ec1fe32c7553b58be4bb840ca7c32b665141a8d9f31d3eccaa02b4bef8783f1

    • SHA512

      479f595426a604542531a702299d35c624d3129aaa457d7efcdcbac6dd5f35a5e16915dd0e1599d4eaa8888e4557d1796e033b39bcca105647ffccf504641298

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZM:P5eznsjsguGDFqGZ2rDLZM

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks