Reservation.vbs

General
Target

Reservation.vbs

Size

7KB

Sample

210919-r2e4aacba2

Score
10 /10
MD5

ec9f108d335607135782af17ab903592

SHA1

8587a5bb04991cf200922d0a9dbd8e12a8f5691f

SHA256

20031bbf53fc23ccbcc482f37c73975ffe6187151e49939f924b468ab566c73c

SHA512

6a0e16d81fa2394780b099ca3d4b2ac3d609d93fb5b9bc5af759ce1004d17ac922ffb2b749c75c1b869ad0451b96185747da03b336caf5ff13ae1a9e844d797b

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://13.112.210.240/njbypass.txt

Extracted

Family njrat
Version 0.7d
Botnet HacKed
C2

103.156.92.140:5489

Attributes
reg_key
b9bcbd71b3095eaa1d613e7db66ba013
splitter
|'|'|
Targets
Target

Reservation.vbs

MD5

ec9f108d335607135782af17ab903592

Filesize

7KB

Score
10 /10
SHA1

8587a5bb04991cf200922d0a9dbd8e12a8f5691f

SHA256

20031bbf53fc23ccbcc482f37c73975ffe6187151e49939f924b468ab566c73c

SHA512

6a0e16d81fa2394780b099ca3d4b2ac3d609d93fb5b9bc5af759ce1004d17ac922ffb2b749c75c1b869ad0451b96185747da03b336caf5ff13ae1a9e844d797b

Tags

Signatures

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • Blocklisted process makes network request

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10