General

  • Target

    965c9b04307de522482b70a7b0b79b70N.exe

  • Size

    117KB

  • Sample

    240816-wf94rayanf

  • MD5

    965c9b04307de522482b70a7b0b79b70

  • SHA1

    861e28d528681e564220286efa9d2f6fe5e3304a

  • SHA256

    ee4a94267c84c59513a4ce4055af99a021c9a6d18c543cb6cfcd1d6252fc069b

  • SHA512

    b1ca8d391f5065086d029122e8cb1c236760ef9d64bf9c014627fcee3224816e010de4bdfaa138ab36c814b06acf21731266fee3b520d72bbaaeec2aac3c7312

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLM:P5eznsjsguGDFqGZ2rDLM

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      965c9b04307de522482b70a7b0b79b70N.exe

    • Size

      117KB

    • MD5

      965c9b04307de522482b70a7b0b79b70

    • SHA1

      861e28d528681e564220286efa9d2f6fe5e3304a

    • SHA256

      ee4a94267c84c59513a4ce4055af99a021c9a6d18c543cb6cfcd1d6252fc069b

    • SHA512

      b1ca8d391f5065086d029122e8cb1c236760ef9d64bf9c014627fcee3224816e010de4bdfaa138ab36c814b06acf21731266fee3b520d72bbaaeec2aac3c7312

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLM:P5eznsjsguGDFqGZ2rDLM

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks