Zona de Pago.vbs

General
Target

Zona de Pago.vbs

Size

162KB

Sample

210915-kdlgtsacc3

Score
10 /10
MD5

df165c37e5339e9a1a720e593d8f2eb1

SHA1

29f8959f9934a0a4f64bbdb3dbaa878334814fc4

SHA256

282b7e31f3fff63d2f713d0841e75e52294bb6601454e78bfd9285839ec4a34a

SHA512

277043fe7d52b876d3c8e04d0ae76f232a6e64774aeb89399c1e47952e82c65814e9004a0dcf1a824ca45ce52a05619b33fc7bcb9e33e740ecb83cc20b12b447

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21150&authkey=AKfJKvTWpXPaOuE

Extracted

Family njrat
Version 0.7NC
Botnet NYAN CAT
C2

reald27.duckdns.org:3525

Attributes
reg_key
f45dd4eb26
splitter
@!#&^%$
Targets
Target

Zona de Pago.vbs

MD5

df165c37e5339e9a1a720e593d8f2eb1

Filesize

162KB

Score
10 /10
SHA1

29f8959f9934a0a4f64bbdb3dbaa878334814fc4

SHA256

282b7e31f3fff63d2f713d0841e75e52294bb6601454e78bfd9285839ec4a34a

SHA512

277043fe7d52b876d3c8e04d0ae76f232a6e64774aeb89399c1e47952e82c65814e9004a0dcf1a824ca45ce52a05619b33fc7bcb9e33e740ecb83cc20b12b447

Tags

Signatures

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Drops startup file

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10

                        behavioral2

                        10/10