General

  • Target

    c220e143aba44ee258f4e0454fb6f500N

  • Size

    115KB

  • Sample

    240914-z1gjqawhnf

  • MD5

    c220e143aba44ee258f4e0454fb6f500

  • SHA1

    b8f047b2ba01e624077d9afa8b2d5d09a24b3c95

  • SHA256

    141b29dc70b6102566c516d1f1d0ce9159fc72518ea7d085eb905f778370b4bb

  • SHA512

    fe78e17a2e8a83099152f1a6f97ca2d57f17920bc864b3720d2886b5b4ec6da4e712de98698539a3e4529cef8783bf7852200941962005c0d1ffdd3d4df30ad3

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQy:P5eznsjsguGDFqGZ2rc

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      c220e143aba44ee258f4e0454fb6f500N

    • Size

      115KB

    • MD5

      c220e143aba44ee258f4e0454fb6f500

    • SHA1

      b8f047b2ba01e624077d9afa8b2d5d09a24b3c95

    • SHA256

      141b29dc70b6102566c516d1f1d0ce9159fc72518ea7d085eb905f778370b4bb

    • SHA512

      fe78e17a2e8a83099152f1a6f97ca2d57f17920bc864b3720d2886b5b4ec6da4e712de98698539a3e4529cef8783bf7852200941962005c0d1ffdd3d4df30ad3

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQy:P5eznsjsguGDFqGZ2rc

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks