General

  • Target

    N00FX02Invoicecopy.vbs

  • Size

    5KB

  • Sample

    210911-baqspsagb6

  • MD5

    9e0bd0f4ce191d98589957b4427cf41c

  • SHA1

    00f0cd6cbd74f0be67c4a5ccae6c5bccba40ca28

  • SHA256

    d8254110ac2d8ee1e35d89881116ae44e2542adab4b91cfbba532baa180442d9

  • SHA512

    20863c334593b5e2b476b6e548ced2c9755609be58e433028d2b4bbdb3236266d8cca9afe131ed163b753a5ea79ff581e75a3e205fc20275c513d4f8119221dd

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://52.188.147.221/Spreading/HS.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

jilldoggyy.duckdns.org:7840

jilldoggyy.duckdns.org:7829

jilldoggyy.duckdns.org:7841

103.147.185.192:7840

103.147.185.192:7829

103.147.185.192:7841

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

20.194.35.6:8023

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      N00FX02Invoicecopy.vbs

    • Size

      5KB

    • MD5

      9e0bd0f4ce191d98589957b4427cf41c

    • SHA1

      00f0cd6cbd74f0be67c4a5ccae6c5bccba40ca28

    • SHA256

      d8254110ac2d8ee1e35d89881116ae44e2542adab4b91cfbba532baa180442d9

    • SHA512

      20863c334593b5e2b476b6e548ced2c9755609be58e433028d2b4bbdb3236266d8cca9afe131ed163b753a5ea79ff581e75a3e205fc20275c513d4f8119221dd

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Async RAT payload

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks