General

  • Target

    4200858d961c9ad4109c010a4d6d9ca0N.exe

  • Size

    116KB

  • Sample

    240820-nr9clatcrj

  • MD5

    4200858d961c9ad4109c010a4d6d9ca0

  • SHA1

    443a330e385075c62b9f304efadbf3726e1db5f5

  • SHA256

    77544fc1f622eebcb73f655d769b8896a043726370937f09d37939d00d4a4afe

  • SHA512

    8ba046431a379aa1bbef418392621c58347b51ea982dc9dabcdcbdc8979fdf4f96a9df1812c379ce0550c5ed928fdf1d9a9f7d3a7e28b81e8072b703ebcd09be

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDpR:P5eznsjsguGDFqGZ2rD7

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      4200858d961c9ad4109c010a4d6d9ca0N.exe

    • Size

      116KB

    • MD5

      4200858d961c9ad4109c010a4d6d9ca0

    • SHA1

      443a330e385075c62b9f304efadbf3726e1db5f5

    • SHA256

      77544fc1f622eebcb73f655d769b8896a043726370937f09d37939d00d4a4afe

    • SHA512

      8ba046431a379aa1bbef418392621c58347b51ea982dc9dabcdcbdc8979fdf4f96a9df1812c379ce0550c5ed928fdf1d9a9f7d3a7e28b81e8072b703ebcd09be

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDpR:P5eznsjsguGDFqGZ2rD7

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks