General

  • Target

    b9b7ff811fbcd919e52025e0cc43df00N.exe

  • Size

    117KB

  • Sample

    240822-vcbw4szepr

  • MD5

    b9b7ff811fbcd919e52025e0cc43df00

  • SHA1

    de140a3f0e2d1ac5e8af631fb483fad115de8b95

  • SHA256

    14198abd49a3dd1b706266823e80c82ce97503b47ce9ba18999a6b665d03ceb8

  • SHA512

    a7cbc8242046a040e7113e193a43873178f816663b60cf6199ea1bd393c05dd954eaea7896314587411c57eed5c76ebd1c99282b328f97c2b161d184d67e00ca

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLCGIm4:P5eznsjsguGDFqGZ2rDLIm4

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      b9b7ff811fbcd919e52025e0cc43df00N.exe

    • Size

      117KB

    • MD5

      b9b7ff811fbcd919e52025e0cc43df00

    • SHA1

      de140a3f0e2d1ac5e8af631fb483fad115de8b95

    • SHA256

      14198abd49a3dd1b706266823e80c82ce97503b47ce9ba18999a6b665d03ceb8

    • SHA512

      a7cbc8242046a040e7113e193a43873178f816663b60cf6199ea1bd393c05dd954eaea7896314587411c57eed5c76ebd1c99282b328f97c2b161d184d67e00ca

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLCGIm4:P5eznsjsguGDFqGZ2rDLIm4

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks