General

  • Target

    bba4c0c2a93dbc278635a42900c34c30N.exe

  • Size

    116KB

  • Sample

    240901-l58l4sxfrl

  • MD5

    bba4c0c2a93dbc278635a42900c34c30

  • SHA1

    37ac6b90978a4d9988fd44a75bbcff62f69d3b18

  • SHA256

    15084977208ec22b853fc37c4bc732eaf27edbbef387b6d99d85cf861e94042e

  • SHA512

    4a7006a8c7d518d202f755e2333d2e14f4949d5b2634be4d2aee4e62d97c258413a3cd19a1739d051b5637a931e22039e915b9663951c82462bf53d4144e5d18

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVB:P5eznsjsguGDFqGZ2rDL7

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      bba4c0c2a93dbc278635a42900c34c30N.exe

    • Size

      116KB

    • MD5

      bba4c0c2a93dbc278635a42900c34c30

    • SHA1

      37ac6b90978a4d9988fd44a75bbcff62f69d3b18

    • SHA256

      15084977208ec22b853fc37c4bc732eaf27edbbef387b6d99d85cf861e94042e

    • SHA512

      4a7006a8c7d518d202f755e2333d2e14f4949d5b2634be4d2aee4e62d97c258413a3cd19a1739d051b5637a931e22039e915b9663951c82462bf53d4144e5d18

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVB:P5eznsjsguGDFqGZ2rDL7

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks