General

  • Target

    afaba83fd4269c3494a7435c64256540N

  • Size

    117KB

  • Sample

    240912-e4lmma1erg

  • MD5

    afaba83fd4269c3494a7435c64256540

  • SHA1

    ceafedc8ea3f575dd8a1acd5b794f7514a3992b1

  • SHA256

    0e9b822031ed03c94f3ee223c9cc8a02a9a7a1ce9a6842d45f0176671e7c0bf3

  • SHA512

    56d9563a7f2d23892ee3b21e1f9f27a4590aed0bc757c93c986084a6fd7e29347e0d6af7770312e22280a63e862f664298d0facb885dedddd063d887bb91071b

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZM6:P5eznsjsguGDFqGZ2rDLZM6

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      afaba83fd4269c3494a7435c64256540N

    • Size

      117KB

    • MD5

      afaba83fd4269c3494a7435c64256540

    • SHA1

      ceafedc8ea3f575dd8a1acd5b794f7514a3992b1

    • SHA256

      0e9b822031ed03c94f3ee223c9cc8a02a9a7a1ce9a6842d45f0176671e7c0bf3

    • SHA512

      56d9563a7f2d23892ee3b21e1f9f27a4590aed0bc757c93c986084a6fd7e29347e0d6af7770312e22280a63e862f664298d0facb885dedddd063d887bb91071b

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZM6:P5eznsjsguGDFqGZ2rDLZM6

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks