General

  • Target

    de7ba0f8b28acfe56cf78d7f43fe79ea3732ae90576f509a05887514ff43b62fN

  • Size

    113KB

  • Sample

    241111-zmv5yswdpl

  • MD5

    4a2a45fc248cfab87d9f10b39f2c3aa0

  • SHA1

    fc73fd8132452cc78056ec42d45fce47e4038e61

  • SHA256

    de7ba0f8b28acfe56cf78d7f43fe79ea3732ae90576f509a05887514ff43b62f

  • SHA512

    ef8fb5de5bd4f9054032adf4aeaa83144a1dec459759bba078b1a5ad08eca98621f96239f22455cc76f305d09805b3ba696165ecbe39bc962713c45fc457e94f

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73Rn:w5eznsjsguGDFqGx8egoxmO3rRn

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      de7ba0f8b28acfe56cf78d7f43fe79ea3732ae90576f509a05887514ff43b62fN

    • Size

      113KB

    • MD5

      4a2a45fc248cfab87d9f10b39f2c3aa0

    • SHA1

      fc73fd8132452cc78056ec42d45fce47e4038e61

    • SHA256

      de7ba0f8b28acfe56cf78d7f43fe79ea3732ae90576f509a05887514ff43b62f

    • SHA512

      ef8fb5de5bd4f9054032adf4aeaa83144a1dec459759bba078b1a5ad08eca98621f96239f22455cc76f305d09805b3ba696165ecbe39bc962713c45fc457e94f

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73Rn:w5eznsjsguGDFqGx8egoxmO3rRn

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks