General

  • Target

    Reservation.vbs

  • Size

    7KB

  • Sample

    210919-r2e4aacba2

  • MD5

    ec9f108d335607135782af17ab903592

  • SHA1

    8587a5bb04991cf200922d0a9dbd8e12a8f5691f

  • SHA256

    20031bbf53fc23ccbcc482f37c73975ffe6187151e49939f924b468ab566c73c

  • SHA512

    6a0e16d81fa2394780b099ca3d4b2ac3d609d93fb5b9bc5af759ce1004d17ac922ffb2b749c75c1b869ad0451b96185747da03b336caf5ff13ae1a9e844d797b

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://13.112.210.240/njbypass.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

103.156.92.140:5489

Mutex

b9bcbd71b3095eaa1d613e7db66ba013

Attributes
  • reg_key

    b9bcbd71b3095eaa1d613e7db66ba013

  • splitter

    |'|'|

Targets

    • Target

      Reservation.vbs

    • Size

      7KB

    • MD5

      ec9f108d335607135782af17ab903592

    • SHA1

      8587a5bb04991cf200922d0a9dbd8e12a8f5691f

    • SHA256

      20031bbf53fc23ccbcc482f37c73975ffe6187151e49939f924b468ab566c73c

    • SHA512

      6a0e16d81fa2394780b099ca3d4b2ac3d609d93fb5b9bc5af759ce1004d17ac922ffb2b749c75c1b869ad0451b96185747da03b336caf5ff13ae1a9e844d797b

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

System Information Discovery

1
T1082

Tasks