General

  • Target

    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd

  • Size

    119KB

  • Sample

    241222-z94evaznam

  • MD5

    97f7e589999872e0847d256b24acc848

  • SHA1

    23463d7f8075dff1047f776f80c989f1f435df42

  • SHA256

    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd

  • SHA512

    fcb53a14a43cb9be8b8d8fd46faf6fed074c57106aef0c590efdc1edba5e20a84a63045eb8c612d1e440f7ca6a6fac7f4cd84010bba8ed4ce9a11384ba821185

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg+:P5eznsjsguGDFqGZ2rDLT

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd

    • Size

      119KB

    • MD5

      97f7e589999872e0847d256b24acc848

    • SHA1

      23463d7f8075dff1047f776f80c989f1f435df42

    • SHA256

      368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd

    • SHA512

      fcb53a14a43cb9be8b8d8fd46faf6fed074c57106aef0c590efdc1edba5e20a84a63045eb8c612d1e440f7ca6a6fac7f4cd84010bba8ed4ce9a11384ba821185

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg+:P5eznsjsguGDFqGZ2rDLT

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks