General

  • Target

    3036576f06c4d42019c6775e7a7df5f0N.exe

  • Size

    118KB

  • Sample

    240824-mlb98sxfjm

  • MD5

    3036576f06c4d42019c6775e7a7df5f0

  • SHA1

    e45b4b406cbf52234d507825c9df7e25833f3aea

  • SHA256

    06adff4a12eac2f533883fa85d8e6d725e2196972b1c1b24845545b44a62c54b

  • SHA512

    20c742d17858c4e1db501a035a34f0cf552e8a9a43ea4209481921c654a304df093c7512921e61358d82379388ba65e5a9eced537ccb1e6ea579de10763f59a9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FO+:P5eznsjsguGDFqGZ2rDL14FO+

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      3036576f06c4d42019c6775e7a7df5f0N.exe

    • Size

      118KB

    • MD5

      3036576f06c4d42019c6775e7a7df5f0

    • SHA1

      e45b4b406cbf52234d507825c9df7e25833f3aea

    • SHA256

      06adff4a12eac2f533883fa85d8e6d725e2196972b1c1b24845545b44a62c54b

    • SHA512

      20c742d17858c4e1db501a035a34f0cf552e8a9a43ea4209481921c654a304df093c7512921e61358d82379388ba65e5a9eced537ccb1e6ea579de10763f59a9

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FO+:P5eznsjsguGDFqGZ2rDL14FO+

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks