General

  • Target

    REQUIREMENT.vbs

  • Size

    2KB

  • Sample

    210924-vfpx5shde8

  • MD5

    b17c7601e3b5dad7c15fde1ff075772b

  • SHA1

    a81a6b3de1470de726e4e31d143bbb5799834598

  • SHA256

    f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2

  • SHA512

    504141a430351bc54fb02bbdf52887e0ccff1c82d8ffd967f8bd4356031c61ad920bfbee4e568a45fc43e7783f8203aeabac4292d74be5eca451cdb6edec9825

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://13.112.210.240/bypass.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

njpeople.duckdns.org:6745

Mutex

730f7d095684724798010fdf6a67928d

Attributes
  • reg_key

    730f7d095684724798010fdf6a67928d

  • splitter

    |'|'|

Targets

    • Target

      REQUIREMENT.vbs

    • Size

      2KB

    • MD5

      b17c7601e3b5dad7c15fde1ff075772b

    • SHA1

      a81a6b3de1470de726e4e31d143bbb5799834598

    • SHA256

      f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2

    • SHA512

      504141a430351bc54fb02bbdf52887e0ccff1c82d8ffd967f8bd4356031c61ad920bfbee4e568a45fc43e7783f8203aeabac4292d74be5eca451cdb6edec9825

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Discovery

System Information Discovery

1
T1082

Tasks