General

  • Target

    2edc3e161b6e0ce7fb4af8957b076e00N.exe

  • Size

    118KB

  • Sample

    240814-sdrmvaydja

  • MD5

    2edc3e161b6e0ce7fb4af8957b076e00

  • SHA1

    638b7188832f913bfe54561a10fa4343b6cafe29

  • SHA256

    fcac77f4a679adfb96b883375aa3f260f136a0001c1ab9163679223bb2b667b1

  • SHA512

    14eadf9d8efef159d8a617335be07cb62a9be4b286f10c4a1be3f91b84168055eb11e8c9e2cda17d7e70fee58fafa068455906a26e4c6d4510e7650d8b667a6a

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FO46:P5eznsjsguGDFqGZ2rDL14FO46

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      2edc3e161b6e0ce7fb4af8957b076e00N.exe

    • Size

      118KB

    • MD5

      2edc3e161b6e0ce7fb4af8957b076e00

    • SHA1

      638b7188832f913bfe54561a10fa4343b6cafe29

    • SHA256

      fcac77f4a679adfb96b883375aa3f260f136a0001c1ab9163679223bb2b667b1

    • SHA512

      14eadf9d8efef159d8a617335be07cb62a9be4b286f10c4a1be3f91b84168055eb11e8c9e2cda17d7e70fee58fafa068455906a26e4c6d4510e7650d8b667a6a

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FO46:P5eznsjsguGDFqGZ2rDL14FO46

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks