General

  • Target

    54460c57ab063459de62d2337c0aa36096a3f840d0aa13bc1982ca0a642cf6fcN.exe

  • Size

    114KB

  • Sample

    241207-3e72bszlgy

  • MD5

    714662affd90e85ce2679cfa5b351510

  • SHA1

    d5a58f16a7ef7f8b7e917a49e255aa6f4db656f8

  • SHA256

    54460c57ab063459de62d2337c0aa36096a3f840d0aa13bc1982ca0a642cf6fc

  • SHA512

    7162731cdf522c7a891060a5646c5e2c0b17acc07280cfe44b941c35047aae31c3c81cd8889b84651c9fbaf51bee5d8807e51c99ae4ede7c687fb897f1dc1ca1

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73Rmk:w5eznsjsguGDFqGx8egoxmO3rRmk

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      54460c57ab063459de62d2337c0aa36096a3f840d0aa13bc1982ca0a642cf6fcN.exe

    • Size

      114KB

    • MD5

      714662affd90e85ce2679cfa5b351510

    • SHA1

      d5a58f16a7ef7f8b7e917a49e255aa6f4db656f8

    • SHA256

      54460c57ab063459de62d2337c0aa36096a3f840d0aa13bc1982ca0a642cf6fc

    • SHA512

      7162731cdf522c7a891060a5646c5e2c0b17acc07280cfe44b941c35047aae31c3c81cd8889b84651c9fbaf51bee5d8807e51c99ae4ede7c687fb897f1dc1ca1

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73Rmk:w5eznsjsguGDFqGx8egoxmO3rRmk

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks