General

  • Target

    Documentacion.PDF.vbs

  • Size

    162KB

  • Sample

    210915-pzmdgadgcm

  • MD5

    16dd6afc5e63f4edc4f35fd1176e63bd

  • SHA1

    d64a9461b703119695e76f880832924d487a648a

  • SHA256

    c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994

  • SHA512

    3e2abe804b90ec51e1a7fb4145a0b11304e3d279c13cc3f65380721c079fb1b9711bb491e92b5e95c6ca957aeb7bfed9b33b030c094a1dcc3d4ebcab577b8df3

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes
  • reg_key

    cf13c225ff474d45b

  • splitter

    @!#&^%$

Targets

    • Target

      Documentacion.PDF.vbs

    • Size

      162KB

    • MD5

      16dd6afc5e63f4edc4f35fd1176e63bd

    • SHA1

      d64a9461b703119695e76f880832924d487a648a

    • SHA256

      c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994

    • SHA512

      3e2abe804b90ec51e1a7fb4145a0b11304e3d279c13cc3f65380721c079fb1b9711bb491e92b5e95c6ca957aeb7bfed9b33b030c094a1dcc3d4ebcab577b8df3

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks