General

  • Target

    9e40eaec1f0cc499b956aaeea8855b41fca2ca046427fd46161492565ba16511N.exe

  • Size

    114KB

  • Sample

    241216-hcxscszmdn

  • MD5

    d0d346fa85a66e68c2abe1cd76a3a500

  • SHA1

    be68263951fe0464a90963145a932a17b7e251bd

  • SHA256

    9e40eaec1f0cc499b956aaeea8855b41fca2ca046427fd46161492565ba16511

  • SHA512

    c78a94a7ae2455ed9841baa511b4c973f025c04b540e1a372fcc1f0fd41856a5defb355d0bfd1c79c40f76713644f9c336f926869c058105e9f39bf0f4aad0ff

  • SSDEEP

    1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73RmW:w5eznsjsguGDFqGx8egoxmO3rRmW

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      9e40eaec1f0cc499b956aaeea8855b41fca2ca046427fd46161492565ba16511N.exe

    • Size

      114KB

    • MD5

      d0d346fa85a66e68c2abe1cd76a3a500

    • SHA1

      be68263951fe0464a90963145a932a17b7e251bd

    • SHA256

      9e40eaec1f0cc499b956aaeea8855b41fca2ca046427fd46161492565ba16511

    • SHA512

      c78a94a7ae2455ed9841baa511b4c973f025c04b540e1a372fcc1f0fd41856a5defb355d0bfd1c79c40f76713644f9c336f926869c058105e9f39bf0f4aad0ff

    • SSDEEP

      1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73RmW:w5eznsjsguGDFqGx8egoxmO3rRmW

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks