Overview

overview

10

Static

static

Reservation.vbs

windows7_x64

10

Reservation.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Reservation.vbs

  • Size

    1KB

  • Sample

    210905-z3wreshgg3

  • MD5

    d1105a626de00b3a3d248febfe9d2eab

  • SHA1

    f088bdfa3f5d251f325ff4b11b5e680425c25ba2

  • SHA256

    c61844d30e92c490359ae221d04620767e303247345e12de34f8ae43eb1cf26b

  • SHA512

    11378362541f0656af2bc775cfd4b8e23e9c9a08cd9eb8b35109f3553da2e870a9c376efd3df2039c4c8224c70ba54ff0cad0030751bdfb8641da4f639e0bc16

Score
10/10
njratbosstrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://54.184.87.30/bypass.txt

Extracted

Family

njrat

Version

v4.0

Botnet

Boss

C2

103.147.184.73:7103

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      Reservation.vbs

    • Size

      1KB

    • MD5

      d1105a626de00b3a3d248febfe9d2eab

    • SHA1

      f088bdfa3f5d251f325ff4b11b5e680425c25ba2

    • SHA256

      c61844d30e92c490359ae221d04620767e303247345e12de34f8ae43eb1cf26b

    • SHA512

      11378362541f0656af2bc775cfd4b8e23e9c9a08cd9eb8b35109f3553da2e870a9c376efd3df2039c4c8224c70ba54ff0cad0030751bdfb8641da4f639e0bc16

    Score
    10/10
    njratbosstrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks