General

  • Target

    4f26497520ca3310f7f99cbfd80be1e0N.exe

  • Size

    115KB

  • Sample

    240817-ntfs3atcnh

  • MD5

    4f26497520ca3310f7f99cbfd80be1e0

  • SHA1

    e779f19cc46f61a72a94e8fc01c223dc8e2180ea

  • SHA256

    0d1405c3eb6cd4d76d02265d9f9259eaa13e37d3a16df0268bc8a0f060eff0ee

  • SHA512

    584b1ba8dbfe6014f718b438876ab02151dafde04bbe69c24373f3a7ce4804c363d3bf79e778672b5e24e3cbf9330eef35b437cf8297cd120f68be6725500889

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdehOf:P5eznsjsguGDFqGZ2rYC

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      4f26497520ca3310f7f99cbfd80be1e0N.exe

    • Size

      115KB

    • MD5

      4f26497520ca3310f7f99cbfd80be1e0

    • SHA1

      e779f19cc46f61a72a94e8fc01c223dc8e2180ea

    • SHA256

      0d1405c3eb6cd4d76d02265d9f9259eaa13e37d3a16df0268bc8a0f060eff0ee

    • SHA512

      584b1ba8dbfe6014f718b438876ab02151dafde04bbe69c24373f3a7ce4804c363d3bf79e778672b5e24e3cbf9330eef35b437cf8297cd120f68be6725500889

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdehOf:P5eznsjsguGDFqGZ2rYC

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks