General

  • Target

    72293ccf33ff9da279c5460e9f7f7b20N.exe

  • Size

    116KB

  • Sample

    240903-pa3zxswcnl

  • MD5

    72293ccf33ff9da279c5460e9f7f7b20

  • SHA1

    7130e75bd5c85da908f9219cd0d04346d572a1d0

  • SHA256

    c1f607f590390883c97ab34350edc9a3afe00fc3ef14ad8b3ce3d651e836b2fa

  • SHA512

    b6679e1aef0962db3884e739f699258eb60914b6acf33aef4a693dcb812cc5a3a1664aa0028e91fc6f7c77869d47860b7213066f59947f25502856bfa50f75c7

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVr:P5eznsjsguGDFqGZ2rDL9

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      72293ccf33ff9da279c5460e9f7f7b20N.exe

    • Size

      116KB

    • MD5

      72293ccf33ff9da279c5460e9f7f7b20

    • SHA1

      7130e75bd5c85da908f9219cd0d04346d572a1d0

    • SHA256

      c1f607f590390883c97ab34350edc9a3afe00fc3ef14ad8b3ce3d651e836b2fa

    • SHA512

      b6679e1aef0962db3884e739f699258eb60914b6acf33aef4a693dcb812cc5a3a1664aa0028e91fc6f7c77869d47860b7213066f59947f25502856bfa50f75c7

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVr:P5eznsjsguGDFqGZ2rDL9

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks