Overview

overview

10

Static

static

Receipt.vbs

windows7_x64

3

Receipt.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Receipt.vbs

  • Size

    2KB

  • Sample

    211018-ye8weafean

  • MD5

    5148319e32fa247453f35aa2ea0af0a2

  • SHA1

    69afc36ee0cf368fb248af04df99c8aa8faba731

  • SHA256

    11850e5727c8a31ca7192fc9546050442376f7b77359f7d4e971f1f823105504

  • SHA512

    313fe826b3e7497313dfd15684dd6c1e459368c294db5a9fc1b9a6b6e99af441a567cf6ba649b4a973bb67bfc6ee80dd7bc0c11d70fe58981c258b63ed63f760

Score
10/10
njratrackspacepersistencesuricatatrojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

RackSPACE

C2

petrol-chem108.duckdns.org:40225

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      Receipt.vbs

    • Size

      2KB

    • MD5

      5148319e32fa247453f35aa2ea0af0a2

    • SHA1

      69afc36ee0cf368fb248af04df99c8aa8faba731

    • SHA256

      11850e5727c8a31ca7192fc9546050442376f7b77359f7d4e971f1f823105504

    • SHA512

      313fe826b3e7497313dfd15684dd6c1e459368c294db5a9fc1b9a6b6e99af441a567cf6ba649b4a973bb67bfc6ee80dd7bc0c11d70fe58981c258b63ed63f760

    Score
    10/10
    njratrackspacepersistencesuricatatrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks