Overview

overview

10

Static

static

Invoice.vbs

windows7_x64

10

Invoice.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice.vbs

  • Size

    2KB

  • Sample

    210907-ptgk2acee7

  • MD5

    157bd8f697377d2442ac93eda10dec94

  • SHA1

    9e5b8e8d2349aaedcc7b93fee831990b1f6b8ad6

  • SHA256

    dcd4d3f6173c2283b4ed18fcf810870db068d967b7deb0cc2bcf95db1d3fce11

  • SHA512

    d86412ba6b642759af963285815b7f9679e6cff17baa78e6e3fa6b984c80179b334ed010d587649449ee4f643d2103722fe4c4805ee7bde59ac21ab3a14ee9b7

Score
10/10
njratsuntrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://54.184.87.30/sd-bypass.txt

Extracted

Family

njrat

Version

v4.0

Botnet

Sun

C2

103.153.78.241:8871

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      Invoice.vbs

    • Size

      2KB

    • MD5

      157bd8f697377d2442ac93eda10dec94

    • SHA1

      9e5b8e8d2349aaedcc7b93fee831990b1f6b8ad6

    • SHA256

      dcd4d3f6173c2283b4ed18fcf810870db068d967b7deb0cc2bcf95db1d3fce11

    • SHA512

      d86412ba6b642759af963285815b7f9679e6cff17baa78e6e3fa6b984c80179b334ed010d587649449ee4f643d2103722fe4c4805ee7bde59ac21ab3a14ee9b7

    Score
    10/10
    njratsuntrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks