General

  • Target

    sigmasoft-v1.0.exe

  • Size

    298KB

  • Sample

    240531-eh4w3sfd56

  • MD5

    83eed41cb65bfeca33d2212bb5a6a738

  • SHA1

    aa4d1f25dadf1bc9740e2f65f138ce3b0e8e0415

  • SHA256

    e3e57ed95351e74aacdeee7669be8075266d411bf32c433083c13e3dee5837a4

  • SHA512

    b56bc6969c866552e0ae97341045469fbd9870f1d25e26f65a676753f4c12cd1aba7cdc9a5973ec90b0984a867f668f6a4267388013c1508c3dea143d7ce386a

  • SSDEEP

    768:QffHJ7k/c4MbZb8YrM+rMRa8Nu5HtVaDxy+Xovnwb:QffHJgtMbKj+gRJNWixy+6w

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

RaTTeD

C2

gorodpro-42772.portmap.host:42772

Mutex

4b57fcdad8b55cb5e7a4c043c43d8d94

Attributes
  • reg_key

    4b57fcdad8b55cb5e7a4c043c43d8d94

  • splitter

    |'|'|

Targets

    • Target

      sigmasoft-v1.0.exe

    • Size

      298KB

    • MD5

      83eed41cb65bfeca33d2212bb5a6a738

    • SHA1

      aa4d1f25dadf1bc9740e2f65f138ce3b0e8e0415

    • SHA256

      e3e57ed95351e74aacdeee7669be8075266d411bf32c433083c13e3dee5837a4

    • SHA512

      b56bc6969c866552e0ae97341045469fbd9870f1d25e26f65a676753f4c12cd1aba7cdc9a5973ec90b0984a867f668f6a4267388013c1508c3dea143d7ce386a

    • SSDEEP

      768:QffHJ7k/c4MbZb8YrM+rMRa8Nu5HtVaDxy+Xovnwb:QffHJgtMbKj+gRJNWixy+6w

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks