General

  • Target

    c7752cdba78cce9bb84f8e38fc60ca538900cbf8ab8bb3544348cb866e3936fa

  • Size

    113KB

  • Sample

    241016-fstpjayarq

  • MD5

    36f737a796c046bcb5181a78f31624a0

  • SHA1

    d686e9d59ea498d21a593abd4019223f4613564b

  • SHA256

    c7752cdba78cce9bb84f8e38fc60ca538900cbf8ab8bb3544348cb866e3936fa

  • SHA512

    435e8b30d93b04ba44edf0dc289cdc0d497b8345fc331d65447a151c8323947b4172ee40a7ac754767166a78500f3b556877a85c1fe24710351cccec5f16680f

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73vi:w5eznsjsguGDFqGx8egoxmO3rvi

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      c7752cdba78cce9bb84f8e38fc60ca538900cbf8ab8bb3544348cb866e3936fa

    • Size

      113KB

    • MD5

      36f737a796c046bcb5181a78f31624a0

    • SHA1

      d686e9d59ea498d21a593abd4019223f4613564b

    • SHA256

      c7752cdba78cce9bb84f8e38fc60ca538900cbf8ab8bb3544348cb866e3936fa

    • SHA512

      435e8b30d93b04ba44edf0dc289cdc0d497b8345fc331d65447a151c8323947b4172ee40a7ac754767166a78500f3b556877a85c1fe24710351cccec5f16680f

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73vi:w5eznsjsguGDFqGx8egoxmO3rvi

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks