General

  • Target

    df91c62bb04ab30051e60b0e340d37c0N.exe

  • Size

    116KB

  • Sample

    240904-bf55ks1hrr

  • MD5

    df91c62bb04ab30051e60b0e340d37c0

  • SHA1

    43d8966e9f2d69577bca3eaed1cc2900ad9ca4c8

  • SHA256

    5d5e33d61bf2f068aad09bf57ebd67763c5f210e305246cb16fb1f87c51ffcfa

  • SHA512

    764c3da47dda7f9634778d0b522483d74c3c90930bcac01fda762af1f8ea2a6e652731f290c4d29f47a971a0d33dfe6eab5f5b4f78eb616624f3d47d0bc4a54f

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVZ:P5eznsjsguGDFqGZ2rDLn

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      df91c62bb04ab30051e60b0e340d37c0N.exe

    • Size

      116KB

    • MD5

      df91c62bb04ab30051e60b0e340d37c0

    • SHA1

      43d8966e9f2d69577bca3eaed1cc2900ad9ca4c8

    • SHA256

      5d5e33d61bf2f068aad09bf57ebd67763c5f210e305246cb16fb1f87c51ffcfa

    • SHA512

      764c3da47dda7f9634778d0b522483d74c3c90930bcac01fda762af1f8ea2a6e652731f290c4d29f47a971a0d33dfe6eab5f5b4f78eb616624f3d47d0bc4a54f

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVZ:P5eznsjsguGDFqGZ2rDLn

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks