General

  • Target

    ddec1d574a91302a216de30239fe6679bb4be6dc20a226b06b4e7e167c99805eN

  • Size

    119KB

  • Sample

    241012-1j3ajaxbmp

  • MD5

    b413e1e0fd852ab4e5d72492bfcb7190

  • SHA1

    82c379067b09f4329697e44619a0e30e6c12306d

  • SHA256

    ddec1d574a91302a216de30239fe6679bb4be6dc20a226b06b4e7e167c99805e

  • SHA512

    ce4779d3053a2c2031aa57e880de642e576bbd721ffc1b933a7518c2ecbbbbb8477496b754791f1099f634d43bcb34eba218758bfbb3af2e350180371878a6d9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOL:P5eznsjsguGDFqGZ2rDL14FOL

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      ddec1d574a91302a216de30239fe6679bb4be6dc20a226b06b4e7e167c99805eN

    • Size

      119KB

    • MD5

      b413e1e0fd852ab4e5d72492bfcb7190

    • SHA1

      82c379067b09f4329697e44619a0e30e6c12306d

    • SHA256

      ddec1d574a91302a216de30239fe6679bb4be6dc20a226b06b4e7e167c99805e

    • SHA512

      ce4779d3053a2c2031aa57e880de642e576bbd721ffc1b933a7518c2ecbbbbb8477496b754791f1099f634d43bcb34eba218758bfbb3af2e350180371878a6d9

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOL:P5eznsjsguGDFqGZ2rDL14FOL

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks