General

  • Target

    c5c3169cf4c8132f94a8ce8346745c67d1cb1164d0bca05e355da8733dc6f3a2

  • Size

    116KB

  • Sample

    240817-fj7vssyarh

  • MD5

    29ad3bc0d80b70bcf377fc9cdc0534d1

  • SHA1

    6603a72eebe0ad6bdcb0c28efc8cf09fe57605dc

  • SHA256

    c5c3169cf4c8132f94a8ce8346745c67d1cb1164d0bca05e355da8733dc6f3a2

  • SHA512

    7c7b17045aaa606ec555170a0ba9fd95bfdef0d783b973bffa17a009f82d1e643820cf13abe7c4d6f39d82202f12dc8862b89decc30daaeb7ee648707d2346b1

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQzr:P5eznsjsguGDFqGZ2rxr

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      c5c3169cf4c8132f94a8ce8346745c67d1cb1164d0bca05e355da8733dc6f3a2

    • Size

      116KB

    • MD5

      29ad3bc0d80b70bcf377fc9cdc0534d1

    • SHA1

      6603a72eebe0ad6bdcb0c28efc8cf09fe57605dc

    • SHA256

      c5c3169cf4c8132f94a8ce8346745c67d1cb1164d0bca05e355da8733dc6f3a2

    • SHA512

      7c7b17045aaa606ec555170a0ba9fd95bfdef0d783b973bffa17a009f82d1e643820cf13abe7c4d6f39d82202f12dc8862b89decc30daaeb7ee648707d2346b1

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQzr:P5eznsjsguGDFqGZ2rxr

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks