General

  • Target

    Payment On Account.vbs

  • Size

    3KB

  • Sample

    210916-mrq1kscgg9

  • MD5

    48f019f8bdb3fce7e44649974ab2330f

  • SHA1

    25ce8749a17bf094e49673141032aa7b4e3893cb

  • SHA256

    982d8d494fe7ddecd60b8237affaf2da1399122099dae6b615bb9b6904ba0379

  • SHA512

    0387aee4aa180441e42fcbc35d46e16e889706a57be37e8b59f595efa8895b2b096e47738bcd626c0b4d8a9df942edf3162dbbd7f26315d5f5a47081c3c47480

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://54.184.87.30/Server.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

103.147.184.73:8319

Mutex

98d5ec0a408febb60524eab801ba601c

Attributes
  • reg_key

    98d5ec0a408febb60524eab801ba601c

  • splitter

    |'|'|

Targets

    • Target

      Payment On Account.vbs

    • Size

      3KB

    • MD5

      48f019f8bdb3fce7e44649974ab2330f

    • SHA1

      25ce8749a17bf094e49673141032aa7b4e3893cb

    • SHA256

      982d8d494fe7ddecd60b8237affaf2da1399122099dae6b615bb9b6904ba0379

    • SHA512

      0387aee4aa180441e42fcbc35d46e16e889706a57be37e8b59f595efa8895b2b096e47738bcd626c0b4d8a9df942edf3162dbbd7f26315d5f5a47081c3c47480

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

System Information Discovery

1
T1082

Tasks