General

  • Target

    d8a83c4911a1a3ad2912ae7d5d192350N.exe

  • Size

    115KB

  • Sample

    240823-wwt3gayemd

  • MD5

    d8a83c4911a1a3ad2912ae7d5d192350

  • SHA1

    748e7d8b45a5f0997b75a1c523602e884773700c

  • SHA256

    b46d00f45d89113b5ef42c11f5b788a9f0d5f3067cf91db08a264c7729c2413f

  • SHA512

    62826f0188b82e6a11f210ad977854fc7f8a823e7a0139aaa4bb630cca938fcbb3d2028e4e3caa7cbe034fdb1a9930cf512c277557e3dca388a55948a53c0d26

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQzb:P5eznsjsguGDFqGZ2rxb

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      d8a83c4911a1a3ad2912ae7d5d192350N.exe

    • Size

      115KB

    • MD5

      d8a83c4911a1a3ad2912ae7d5d192350

    • SHA1

      748e7d8b45a5f0997b75a1c523602e884773700c

    • SHA256

      b46d00f45d89113b5ef42c11f5b788a9f0d5f3067cf91db08a264c7729c2413f

    • SHA512

      62826f0188b82e6a11f210ad977854fc7f8a823e7a0139aaa4bb630cca938fcbb3d2028e4e3caa7cbe034fdb1a9930cf512c277557e3dca388a55948a53c0d26

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQzb:P5eznsjsguGDFqGZ2rxb

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks