General

  • Target

    Transaccion Aprobada.vbs

  • Size

    1KB

  • Sample

    210909-vqd9dsged5

  • MD5

    45beeab3735b33386dc605d813ab1712

  • SHA1

    9570171eb0875939b3a9fd51710422036ca968a7

  • SHA256

    4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f

  • SHA512

    3b7077d939301d4708a8d41d27bfe0df8e4d703d07af8882e14b02b65dfde303b13f2a428c2911fe3d1eb086e05199bb791562e490ac28092fbd6f520102335e

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21130&authkey=AEqY-yNYbKJY9pM

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

reald27.duckdns.org:3525

Mutex

d58e514d83d54f2c

Attributes
  • reg_key

    d58e514d83d54f2c

  • splitter

    @!#&^%$

Targets

    • Target

      Transaccion Aprobada.vbs

    • Size

      1KB

    • MD5

      45beeab3735b33386dc605d813ab1712

    • SHA1

      9570171eb0875939b3a9fd51710422036ca968a7

    • SHA256

      4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f

    • SHA512

      3b7077d939301d4708a8d41d27bfe0df8e4d703d07af8882e14b02b65dfde303b13f2a428c2911fe3d1eb086e05199bb791562e490ac28092fbd6f520102335e

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks