General

  • Target

    d61cbbf2347a69de344cb704f3f9fda962f74c4e3eb876437bb54c9e9ebdfda8

  • Size

    112KB

  • Sample

    240815-e69r8szdnn

  • MD5

    4449d044f34669273f853193e1a98e4e

  • SHA1

    d51367bc4815f08f7750cbf9be79f94f8ec319d4

  • SHA256

    d61cbbf2347a69de344cb704f3f9fda962f74c4e3eb876437bb54c9e9ebdfda8

  • SHA512

    8d8cb1189c9abe186930ae6c371beb7f9bf6c031d52e40de3a6d9ee8597fda2c1d7fc997e93510bc17cbe8f547381affa90d9dce31b547ac42a00321c388e70e

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh739:w5eznsjsguGDFqGx8egoxmO3r9

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      d61cbbf2347a69de344cb704f3f9fda962f74c4e3eb876437bb54c9e9ebdfda8

    • Size

      112KB

    • MD5

      4449d044f34669273f853193e1a98e4e

    • SHA1

      d51367bc4815f08f7750cbf9be79f94f8ec319d4

    • SHA256

      d61cbbf2347a69de344cb704f3f9fda962f74c4e3eb876437bb54c9e9ebdfda8

    • SHA512

      8d8cb1189c9abe186930ae6c371beb7f9bf6c031d52e40de3a6d9ee8597fda2c1d7fc997e93510bc17cbe8f547381affa90d9dce31b547ac42a00321c388e70e

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh739:w5eznsjsguGDFqGx8egoxmO3r9

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks