General

  • Target

    INTERAC PAYMENT.vbs

  • Size

    7KB

  • Sample

    210920-w2ly2sehg9

  • MD5

    f3bc5f7625cfb7d4f44f784561b05faf

  • SHA1

    8831e8de10c1365cbc23bf50b96b6292fd09af29

  • SHA256

    9b08fe9109b0e4b68f52624894d0ea9261f4a434f07d022f2d2b2d7c12877460

  • SHA512

    cd5a57d361c02aeda535d19461798d9b5779f94e17aa12cc2ee9db4ba1605a8ce8fe04dcf4a1bee312261902a7c2bb579cc916f98576d679ded10a6c64807665

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://13.112.210.240/NJNJNJNJbypass.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

103.156.92.140:5489

Mutex

b9bcbd71b3095eaa1d613e7db66ba013

Attributes
  • reg_key

    b9bcbd71b3095eaa1d613e7db66ba013

  • splitter

    |'|'|

Targets

    • Target

      INTERAC PAYMENT.vbs

    • Size

      7KB

    • MD5

      f3bc5f7625cfb7d4f44f784561b05faf

    • SHA1

      8831e8de10c1365cbc23bf50b96b6292fd09af29

    • SHA256

      9b08fe9109b0e4b68f52624894d0ea9261f4a434f07d022f2d2b2d7c12877460

    • SHA512

      cd5a57d361c02aeda535d19461798d9b5779f94e17aa12cc2ee9db4ba1605a8ce8fe04dcf4a1bee312261902a7c2bb579cc916f98576d679ded10a6c64807665

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

System Information Discovery

1
T1082

Tasks