General

  • Target

    d9884c666564a3e3fb82982a0792657432fe7a1bc86dae7af5cb1aa99a5ec657

  • Size

    117KB

  • Sample

    240815-fewa7svgng

  • MD5

    5c44e365514e92fec251174baa189e99

  • SHA1

    d263cd0dabac3190ca47753fa71fafa19239e6dd

  • SHA256

    d9884c666564a3e3fb82982a0792657432fe7a1bc86dae7af5cb1aa99a5ec657

  • SHA512

    46d1364c67e72661f25a3cf8325fae0170b924434344832cfc1e1a32fcb456e0605b0e2dd0869d8e49f2a929d54aaa6b0ca47f4f20f51ef19545287a9f3357db

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLL:P5eznsjsguGDFqGZ2rDLL

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      d9884c666564a3e3fb82982a0792657432fe7a1bc86dae7af5cb1aa99a5ec657

    • Size

      117KB

    • MD5

      5c44e365514e92fec251174baa189e99

    • SHA1

      d263cd0dabac3190ca47753fa71fafa19239e6dd

    • SHA256

      d9884c666564a3e3fb82982a0792657432fe7a1bc86dae7af5cb1aa99a5ec657

    • SHA512

      46d1364c67e72661f25a3cf8325fae0170b924434344832cfc1e1a32fcb456e0605b0e2dd0869d8e49f2a929d54aaa6b0ca47f4f20f51ef19545287a9f3357db

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLL:P5eznsjsguGDFqGZ2rDLL

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks