General

  • Target

    56abfebef03d924d2b15990a2177e3a0N.exe

  • Size

    118KB

  • Sample

    240825-pxsgpswenn

  • MD5

    56abfebef03d924d2b15990a2177e3a0

  • SHA1

    5ee290d229b6cb45ab14d2944ac1f642e40524e8

  • SHA256

    70c5d04755f6c1d511eb95da0eb9c66129739c96b530d25465249dc4c88b3dd9

  • SHA512

    37358e109ba7443eada0d7a242e651d422328c11319f3f01df33aa780c3c9f88feb963459cc6c8b32388ff1e31ab15610e236cb0b14ced362a2c3c20723aa5b9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL/3:P5eznsjsguGDFqGZ2rDL/3

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      56abfebef03d924d2b15990a2177e3a0N.exe

    • Size

      118KB

    • MD5

      56abfebef03d924d2b15990a2177e3a0

    • SHA1

      5ee290d229b6cb45ab14d2944ac1f642e40524e8

    • SHA256

      70c5d04755f6c1d511eb95da0eb9c66129739c96b530d25465249dc4c88b3dd9

    • SHA512

      37358e109ba7443eada0d7a242e651d422328c11319f3f01df33aa780c3c9f88feb963459cc6c8b32388ff1e31ab15610e236cb0b14ced362a2c3c20723aa5b9

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL/3:P5eznsjsguGDFqGZ2rDL/3

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks