General

  • Target

    7a29d3b5d443431f45f1ae41a988ece0N.exe

  • Size

    111KB

  • Sample

    240818-n6733sshma

  • MD5

    7a29d3b5d443431f45f1ae41a988ece0

  • SHA1

    15e178c99c4b64310564ce90d441a02e5d60511f

  • SHA256

    f77060e1af9efc5a10c35727ce8ba28b4f8228ce0ca2a3a04423895a5d0e8161

  • SHA512

    1381eca0ee52d6b0d118df952cff851e5f43e1cfc252497fa0e2f560244a676948a7248f425af462672390aa350eeb71c740ccf6925dc217f7980288051ccde3

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73m:w5eznsjsguGDFqGx8egoxmO3rm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      7a29d3b5d443431f45f1ae41a988ece0N.exe

    • Size

      111KB

    • MD5

      7a29d3b5d443431f45f1ae41a988ece0

    • SHA1

      15e178c99c4b64310564ce90d441a02e5d60511f

    • SHA256

      f77060e1af9efc5a10c35727ce8ba28b4f8228ce0ca2a3a04423895a5d0e8161

    • SHA512

      1381eca0ee52d6b0d118df952cff851e5f43e1cfc252497fa0e2f560244a676948a7248f425af462672390aa350eeb71c740ccf6925dc217f7980288051ccde3

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73m:w5eznsjsguGDFqGx8egoxmO3rm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks